Throughout 2020, an unprecedented portion of the world’s office workers have been forced to work from home as a result of the Covid-19 pandemic. That dispersal has created countless opportunities for hackers, who are taking full advantage. In an advisory today, the National Security Agency said that Russian state-sponsored groups have been actively attacking a vulnerability in multiple enterprise remote work platforms developed by VMware. The company issued a security bulletin on Thursday that details patches and workarounds to mitigate the flaw, which Russian government actors have used to gain privileged access to target data.
Institutions have scrambled to adapt to remote work, offering employees secure remote access to enterprise systems. But the change comes with different risks and has created new exposures versus traditional office networks. Flaws in tools like VPNs have been especially popular targets, since they can give attackers access to internal corporate networks. A group of vulnerabilities affecting the VPN Pulse Secure, for example, were patched in April 2019, but United States intelligence and defense agencies like the Cybersecurity and Infrastructure Security Agency issued warnings in October 2019, and again in January, and April, that hackers were still attacking organizations—including government agencies— that had not applied the patch.
On Thursday, CISA issued a brief advisory encouraging administrators to patch the VMware vulnerability. “An attacker could exploit this vulnerability to take control of an affected system,” the agency said.
In addition to warning the general public about the VMware bug, the NSA emphasized repeatedly that it “encourages National Security System (NSS), Department of Defense (DOD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers.”
“It’s one of those things where the messenger is notable as well as the message,” says Ben Read, senior manager of cyberespionage analysis at the threat intelligence firm FireEye. “It’s a remote code execution vulnerability, it’s something that people definitely want to patch, but these things happen. So the fact that the NSA wanted to make a big deal about it is likely based on the fact that it was being used by Russia’s folks in the wild and presumably against a target that the NSA is worried about.”
The affected VMware products all relate to cloud infrastructure and identity management, including VMware Workspace One Access, its predecessor VMware Identity Manager, and VMware Cloud Foundation. VMware did not immediately return a request for comment from WIRED, but the company noted in its advisory that it rates the flaw’s severity as “Important,” a step below “Critical,” because attackers must have access to a web-based, password-protected management interface before they can exploit the vulnerability. The NSA points out that securing this interface with a strong, unique password, or setting it up so it isn’t accessible from the public internet, are both steps that can reduce the risk of attack. Fortunately, VMware did not design the affected systems with the option to use default passwords that would be trivially easy for attackers to guess.
Once a hacker has access, they can exploit the vulnerability to manipulate authentication requests called “SAML assertions” (from Security Assertion Markup Language, an open standard) as a way of burrowing deeper into an organization’s network. And they can use that position to access other servers that contain potentially sensitive information.
FireEye’s Read notes that while the bug does first require a legitimate password to exploit, that’s not an insurmountable hurdle, particularly Russian hackers who have a known facility with credential theft techniques like password spraying. “I would guess the NSA is writing something because they have seen it work even if it is in theory not the worst vulnerability out there,” he says.
When so many employees are working remotely it can be difficult to use traditional network monitoring tools to flag potentially suspicious behavior. But the NSA also points out vulnerabilities like the VMware bug present a unique challenge regardless, because the malicious activity would all happen in encrypted connections to the web interface that aren’t distinguishable from legitimate logins. The NSA recommends instead that organizations comb their server logs for what are known as “exit” statements that can indicate suspicious activity.