The vendor himself recently released a security bulletin, where he described all the necessary steps to eliminate the vulnerability. At the same time, the Cybersecurity and Infrastructure Protection Agency (CISA) appealed to network administrators to immediately fix the vulnerability. "A hacker could have used a vulnerability to take control of the system," the message says. The NSA is separately asking network administrators for the National Security System, the Department of Defense, and the country's entire military-industrial complex to immediately remove the vulnerability wherever possible.
They are not worried everywhere
Not everyone shares the NSA's concern. For example, Ben Reed, senior cyber espionage analyst at the information security company FireEye, says that in this situation it is important to analyze not only the message itself, but also from whom it comes. “This remote executed code vulnerability is something that every company tries to avoid. But sometimes it happens. The NSA pays so much attention to this because the vulnerability was exploited by people from Russia and, presumably, against targets important to the NSA, ”he said.
All of the affected VMware products are cloud infrastructure and credential management solutions. These are, for example, VMware Cloud Foundation, VMware Workspace One Access and its predecessor VMware Identity Manager. The company said in a statement that "after the problem appeared, it carried out work to assess the vulnerability and published updates and patches to close it." It is also noted that the situation is assessed as “important”, that is, one level below “critical”. The reason is that hackers must have access to a password-protected web management interface before they can exploit the vulnerability. Once a hacker gains access, he can exploit the vulnerability to manipulate SAML claims authentication requests and thus penetrate deeper into the organization's network to gain access to sensitive information.
The NSA itself in its message says that a strong password reduces the risk of an attack. Fortunately, the affected VMWare products are designed so that administrators do not use default passwords that would be easy to guess. FireEye's Ben Reed notes that while exploiting this error requires first knowing the password, it is not an insurmountable obstacle, especially for Russian hackers who have extensive experience in hacking accounts using many methods. For example, Password Spraying.
He also noted that over the past few years, the number of public statements about the identification of zero-day vulnerabilities used by Russian hackers has decreased. They usually prefer to use well-known bugs.
NSA recommendations
When many employees work remotely, it can be difficult to use traditional network monitoring tools to identify potentially suspicious behavior. However, the NSA says that vulnerabilities such as the VMware bug pose a unique challenge because the malicious activity here occurs in encrypted web-based connections that are indistinguishable from employee authentication. The NSA recommends that administrators of organizations review the network logs for exit statements that may indicate suspicious activity.
“Monitor your authentication logs regularly for abnormal logins, especially successful ones. It is worth paying attention to those of them that use established trusts, but which come from unusual addresses or contain unusual properties, ”the ministry said in a statement.
The NSA did not elaborate on its observations about the exploitation of the vulnerability by pro-Russian hackers. However, according to US media reports, hackers from Russia actively attacked the US IT infrastructure during 2020. In particular, they were interested in goals among government, energy and other important structures. In addition, it is reported that the hackers were active during the presidential elections.
Blog ITGLOBAL.COM - Managed IT, private clouds, IaaS, information security services for business: