Enlarge /. That picture was the profile banner of one of the accounts allegedly held by the Internet Research Agency, the organization that ran social media influence campaigns in Russia, Germany, Ukraine, and the United States in 2009.
A Russian troll
The National Security Agency claims that Russian state hackers compromise multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to confidential data, and hold widespread remote work platforms permanently.
The ongoing attacks take advantage of a security flaw that was not fixed until last Thursday, the agency reported on Monday. CVE-2020-4006 is a command injection error because the bug is traced. This means that attackers can execute commands of their choosing on the operating system on which the vulnerable software is running. These vulnerabilities are the result of code that does not filter unsafe user input such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being advised by the NSA.
A hacker's holy grail
Attackers belonging to a Russian government-sponsored group exploited the vulnerability to gain initial access to vulnerable systems. They then upload a web shell that provides a persistent interface for executing server commands. Finally, through the command interface, hackers can access Active Directory, the part of Microsoft Windows server operating systems that hackers consider a holy grail for creating accounts, changing passwords, and other highly privileged tasks.
“The command injection exploitation resulted in the installation of a web shell and subsequent malicious activity that generated credentials in the form of SAML authentication assertions and sent them to Microsoft Active Directory Federation Services, which in turn gave actors access to protected data. NSA officials wrote in the Cybersecurity Advisory on Monday.
In order for attackers to be able to exploit the VMware bug, they must first gain authenticated password-based access to the device's management interface. By default, the interface runs on Internet port 8443. Passwords must be set manually when installing the software. This suggests that administrators are either choosing weak passwords or that the passwords are otherwise compromised.
"A malicious actor with network access to the administrator configurator on port 8443 and a valid password for the administrator account of the configurator can execute commands with unrestricted permissions on the underlying operating system," said a notice published by VMware on Thursday. “This account is internal to the affected products and a password is set at deployment time. A malicious actor must have this password in order to exploit CVE-2020-4006. "
The active attacks are due to the fact that large numbers of organizations have started work-from-home procedures in response to the COVID-19 pandemic. With many employees remotely accessing sensitive information stored on corporate and government networks, VMware software plays an important role in safeguards designed to keep connections secure.
The command injection error affects the following five VMware platforms:
- VMware Access 3 20.01 and 20.10 on Linux
- VMware vIDM 5 3.3.1, 3.3.2 and 3.3.3 under Linux
- VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation 6 4.x.
- VMware vRealize Suite Lifecycle Manager 7 8.x.
Individuals running any of these products should apply the VMware patch as soon as possible. You should also check the password that is used to secure the VMware product to make sure it is secure. Both the NSA and VMware have additional guidance on securing systems at the links above.
Monday's NSA appraisal identified the hacking group behind the attacks only to say that it is made up of "Russia's government-sponsored malicious cyber actors". In October, the FBI and the Cybersecurity and Infrastructure Security Agency warned that Russian state hackers were targeting the critical Windows vulnerability called Zerologon. This Russian hacking group goes by many names including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Squatting Yeti, and Koala.