NSA: Russian hacker is using VMware vulnerabilities to attack corporate networks

In November 2020, VMware issued a security advisory, saying that the National Security Agency NSA reported a command injection vulnerability (CVE-2020-4006) in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

CVE-2020-4006

But the problem is that the account has a password set during system deployment, which means that the attacker may need to use social engineering and other means to snatch the user’s account password in order to exploit the vulnerability. These vulnerabilities are caused by the code not filtering insecure user input (such as HTTP headers or cookies).

After the NSA reported the vulnerability, VMware released the patch. Soon, the NSA issued a new notice on December 7. The content of the notice mainly revolves around the theme of “Russian State-Sponsored Malicious Cyber Actors Exploit Known Vulnerability in Virtual Workspaces.”

After collecting information, it is shown that attackers from a Russian-sponsored organization are using this vulnerability to initially access vulnerable VMware workstation systems. Hacker uploaded a Web Shell through the vulnerability, which provides a persistent interface for running server commands. Hackers can finally use the command interface to access Active Directory, which is very important for the Microsoft Windows server operating system because if you can access the directory, you can create accounts, change passwords, and perform other high-privileged tasks.

Command injection vulnerabilities lead to the installation of Web Shell and subsequent malicious activities. In the subsequent activities, the attacker generates credentials in the form of SAML (Security Assertion Markup Language) and sends them to the Microsoft Active Directory Federation Service. The Microsoft Active Directory federation service gives attackers the right to access protected data, thus dominating the intranet.