NSA warned that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

CVE-2020-4006, as the flaw is tracked, is a command-injection flaw, meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software.

Attackers from a group sponsored by the Russian government are exploiting the vulnerability to gain initial access to vulnerable systems. They then upload a Web shell that gives a persistent interface for running server commands. Using the command interface, the hackers are eventually able to access the active directory, the part of Microsoft Windows server operating systems .

The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data

For attackers to exploit the VMware flaw, they first must gain authenticated password-based access to the management interface of the device. The interface by default runs over Internet port 8443. Passwords must be manually set upon installation of software, a requirement that suggests administrators are either choosing weak passwords or that the passwords are being compromised through other means.

A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,”A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

The command-injection flaw affects the following five VMware platforms that soon need to be patched

VMware Access 3 20.01 and 20.10 on Linux
VMware vIDM 5 3.3.1, 3.3.2, and 3.3.3 on Linux
VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
VMware Cloud Foundation 4.x
VMware vRealize Suite Lifecycle Manager 7 8.x

That Russian hacking group goes under many names, including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.