NSA Issued Warning Against Russian State-Sponsored Attackers for Exploiting VMware Access

An advisory warning has been issued by the United States National Security Agency (NSA) on 7th December that Russian malicious actors are posing a big threat to VMware by installing malware on corporate systems and accessing protected data. 

The attack came two weeks after the virtualization software company publicly disclosed vulnerabilities. According to the company malicious actor (s) is accessing —VMware workspace one, Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux. However, the identities of malicious actors and when all of this started have not been disclosed. 

What is VMware? 

VMware is an American Software Company that provides cloud computing and virtualization software and services. VMware was one of the commercially successful companies to virtualize the x86 architecture.

Its desktop software runs on Microsoft Windows, Linux, and macOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without requiring an additional underlying operating system. 

When The Threat Surfaced? 

It was about in late November when Vmware had addressed the attacking threat and pushed temporary workarounds to dig deeper into the issue. However, the ‘escalation-of-privileges ‘bug resolution had to wait till the 3rd of December 2020 to get resolved. 

The same day witnessed the United States Cybersecurity and Infrastructure Security Agency (CISA) releasing a brief bulletin to encourage administrators to review, apply, and patch as soon as possible.

Meanwhile, as per the National Security Advisor, VMware didn’t clearly disclose that the bug was being actively exploited by the attackers, which led to adversaries leveraging the vulnerability for launching attacks to steal data and exploit shared authentication systems. 

''The misuse via shell injection led to the installation of a web shell and follow up malicious activity where Security Assertion Markup Language (SAML) in the form of authentication assertions generated and sent to Microsoft Active Directory Federation Services, which allow actors access to protected data," the agency said. 

What is SAML? 

Security Assertion Markup Language or SAML an Open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). 

Besides insisting on the organizations to update compromised systems to the latest version, the agency is also moving forward towards securing strong management. 

As of now, the threat hasn’t gone anywhere; the US National Security Advisory has advised the agencies to monitor all the systems, scan server logs for the presence of "exit statements" that indicate possible malicious activity.