Russian State-Sponsored Hackers’ Exploit of VMWare Virtual Workspaces Vulnerability

The U.S. National Security Agency (NSA) issued a cybersecurity advisory concerning the activity of Russian state-sponsored hacking groups targeting a vulnerability found in VMWare virtual workspaces that is used for performing remote work.

The vulnerability CVE-2020-4006 is identified in a number of versions of VMware’s Workspace One Access, Identity Manager Connector, Access Connector, and Identity Manager. This vulnerability allows hackers to acquire access to business sites and affected systems with protected data.

This command-injection vulnerability is identified in the administrative configurator component of the affected programs. A hacker can take advantage of the vulnerability via a network by utilizing legit credentials and meddle with the admin configurator on port 8443. When an attacker is successful at exploiting the system vulnerability, he can execute commands on the OS and get hold of sensitive data.

VMWare released a patch to resolve the issue on December 3, 2020 and also provided details to help network defenders locate compromised systems, and give steps to neutralize threat actors that are taking advantage of the problem.

VMWare system admin staff did not prioritize the vulnerability as it only has a CVSS v3 base score of 7.2 out of 10. The relatively low severity CVSS score is mainly because of the need for an attacker to have a working password first to take advantage of the vulnerability. Moreover, the account is inside the affected solutions. Nevertheless, the NSA mentioned that Russian threat actors are currently employing compromised credentials to exploit the system’s vulnerability.

In attacks seen by the NSA, the attackers exploited this command injection vulnerability, established a web shell, began a malicious activity by generating SAML authentication assertions, and routed that to Microsoft Active Directory Federation Services (ADFS) to access protected data.

The fastest way to protect against exploitation is to employ the VMWare patch without delay. If unable to apply the patch, it is crucial to use strong, unique passwords to defend against brute force attacks. The NSA also said that administrators must make its internet-based management inaccessible over the internet.

When the vulnerability is already exploited, strong passwords can’t protect the system. Proper server configuration is critical in systems that execute authentication so that all the services connected to it are safe to use. If not, it’s possible to falsify SAML assertions, permitting access to many resources. When hooking up to authentication servers with ADFS, adhere to Microsoft’s instructions, in particular, the safeguarding of SAML assertions. Use multi-factor authentication as much as possible.

The NSA has provided a way to steer clear of exploitation until patch application. It recommends evaluating and strengthening controls and monitoring federated authentication providers.

Sadly, it is difficult to identify vulnerability exploitation. According to NSA, network-based monitors are not really effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel linked to the internet interface. However, the attack can be identified from server logs at opt/vmware/horizon/workspace/logs/configurator.log. If there’s an exit statement with a three-digit number in the configurator.log, that means that the system is already exploited.

VMWare advises all product users to call VMSA-2020-0027 for assistance.