Throughout 2020, a an unprecedented proportion of the world’s office workers have been forced to work from home due to Covid-19 pandemic. This dispersion has created countless opportunities for hackers, who take full advantage of it. In a notice released today, the National Security Agency said Russian state-sponsored groups are actively addressing a vulnerability in several enterprise remote work platforms developed by VMware. The company issued a security bulletin Thursday, which details fixes and workarounds to mitigate the flaw, which Russian government actors used to gain privileged access to target data.
Institutions have struggled to adapt to remote working, providing employees with secure remote access to corporate systems. But change carries different risks and has created new exhibitions compared to traditional office networks. Vulnerabilities in tools such as VPNs are particularly popular targets because they can give attackers access to internal company networks. A cluster of vulnerabilities affecting Pulse Secure VPN, for example, was patched in April 2019, but U.S. intelligence and defense agencies like the Cybersecurity and Infrastructure Security Agency have issued warnings in October 2019, and again in January, and April, that hackers were still attacking organizations – including government agencies – that had not applied the patch.
On Thursday, CISA released a brief notice encourage administrators to fix the VMware vulnerability. “An attacker could exploit this vulnerability to take control of an affected system,” the agency said.
In addition to warning the general public of the VMware bug, the NSA has repeatedly stressed that it “encourages network administrators of the National Security System (NSS), Department of Defense (DOD) and Industrial Base to defense (DIB) to prioritize vulnerability mitigation on affected servers. “
“It’s one of those things where the messenger is outstanding as well as the message,” says Ben Read, senior director of cyber espionage analysis at threat intelligence firm FireEye. “It’s a remote code execution vulnerability, it’s something that people really want to fix, but these things happen. So the fact that the NSA wants to make it a big deal is probably based on the fact that it was used by the Russians in the wild and presumably against a target that the NSA worries about.
The affected VMware products all relate to cloud infrastructure and identity management, including VMware Workspace One Access, its predecessor VMware Identity Manager, and VMware Cloud Foundation. VMware did not immediately return a request for comment from WIRED, but the company noted in its notice that it attributes the severity of the flaw to “Important”, a step below “Critical”, because attackers must have access to a web password. protected management interface before the vulnerability can be exploited. The NSA emphasizes that securing this interface with a strong and unique password, or configuring it so that it cannot be accessed from the public Internet, are the two steps that can reduce the risk of an attack. Fortunately, VMware did not design affected systems with the option to use default passwords that would be very easy for attackers to guess.
Once an attacker has access, they can exploit the vulnerability to manipulate authentication requests called “SAML assertions” (from Security Assertion Markup Language, an open standard) to burrow deeper into an organization’s network. organization. And they can use this position to access other servers with potentially sensitive information.
FireEye’s Read notes that while the bug requires a legitimate password first to be exploited, this is not an insurmountable obstacle, especially Russian hackers who have a known installation with information theft techniques of identification like spraying passwords. “I guess the NSA is writing something because they saw it work even though it isn’t in theory the worst vulnerability ever,” he says.
When so many employees are working remotely, it can be difficult to use traditional network monitoring tools to report potentially suspicious behavior. But the NSA also points out that vulnerabilities such as the VMware bug present a unique challenge, as malicious activity would all occur in encrypted connections to the web interface that are indistinguishable from legitimate connections. The NSA instead recommends that organizations comb their server logs for so-called “exit” statements that may indicate suspicious activity.