April 26, 2024

NSA warned that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

CVE-2020-4006, as the flaw is tracked, is a command-injection flaw, meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software.

Attackers from a group sponsored by the Russian government are exploiting the vulnerability to gain initial access to vulnerable systems. They then upload a Web shell that gives a persistent interface for running server commands. Using the command interface, the hackers are eventually able to access the active directory, the part of Microsoft Windows server operating systems .

The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data

For attackers to exploit the VMware flaw, they first must gain authenticated password-based access to the management interface of the device. The interface by default runs over Internet port 8443. Passwords must be manually set upon installation of software, a requirement that suggests administrators are either choosing weak passwords or that the passwords are being compromised through other means.

A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,”A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

The command-injection flaw affects the following five VMware platforms that soon need to be patched

VMware Access 3 20.01 and 20.10 on Linux
VMware vIDM 5 3.3.1, 3.3.2, and 3.3.3 on Linux
VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
VMware Cloud Foundation 4.x
VMware vRealize Suite Lifecycle Manager 7 8.x

That Russian hacking group goes under many names, including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

GitLab April 2024 Security Advisory – CVE-2024-2434

April 26, 2024

CISA KEV Update April 2024 – Part II

April 25, 2024

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading