A VMware vulnerability that allowed access to protected data and federated authentication abuse was used by the SolarWinds hackers to attack high-value targets, KrebsOnSecurity reported.
VMware was being used by Russian hackers to impersonate legitimate users on breached networks. In order to exploit this vulnerability, the NSA said hackers would need to be on the target’s internal network, which KrebsOnSecurity pointed out would have been the case in the Solarwinds hack. Though VMWare doesn’t said not heard of anything released a update
While some of VMware’s own networks used vulnerable versions of Solarwinds Orion network monitoring platform,.
The NSA advisory came less than 24 hours before FireEye disclosed that it had suffered a security breach designed to gain information on some of the company’s government customers.
The only private-sector organizations flagged as having been compromised via SolarWinds are FireEye and Microsoft, with Reuters reporting the latter Thursday. Reuters also alleged that Microsoft’s own products were then used by Russian government hackers to further the attacks on other victims.
CISA said it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources.
One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services commonly use SAML.
Microsoft ADFS can be used to federate identities with VMware Identity Manager,By abusing the federated authentication,the hackers can abuse the trust established across the integrated components.
Adversaries target products like VMware Identity Manager to gain access to cloud services such as Microsoft Office 365.Once access is gained, the hackers can monitor or exfiltrate emails and documents stored in Microsoft Office 365 environments.
It’s getting bigger and bigger… Each investigation day passes. This might not stop here will get continued..