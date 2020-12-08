Infosecurity Group Websites
Latest
News

NSA: Patch VMware Bug Now to Stop Russian Hackers

The National Security Agency (NSA) has issued an alert warning that Russian state hackers are exploiting a VMware vulnerability to access sensitive data and maintain persistence in targeted systems.

The NSA urged network administrators at the US National Security System (NSS), Department of Defense (DoD) and Defense Industrial Base (DIB) to patch the bug as a priority.

VMware fixed CVE-2020-4006 on December 3. It’s a Command Injection Vulnerability that exists in VMware Access and VMware Identity Manager products.

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,” the NSA explained in its advisory.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

The NSA recommended that any admins integrating authentication servers with ADFS follow Microsoft best practices such as MFA.

It said that password-based access to the web-based user interface of the device is required to exploit the bug, so using a strong and unique password would help to mitigate the risk, as would disconnecting the interface from the internet.

Daniel Trauner, director of security at Axonius, likened the vulnerability to one in a MobileIron MDM exploited recently as it enables compromise across a potentially large number of organizations.

“Bugs that affect central infrastructure like this, even slightly lower severity bugs that require prerequisites for authentication, are attractive and useful to adversaries because these systems are the central aggregation point for a significant portion of infrastructure. This makes pivoting easy,” he said.

“In addition to prioritizing patching and updating assets with known critical vulnerabilities, organizations need to make sure they are gathering detailed information about their assets —particularly those central to core infrastructure — and continually validate every asset’s adherence to their overall security policy.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Egregor Ransomware Steals Data from Recruiter Randstad

2
News

Ransomware Set for Evolution in Attack Capabilities in 2021

3
News

Europol: Beware Fake Dark Web #COVID19 Vaccines

4
News Feature

The End of Adobe Flash: What Will Post-Support Life Look Like?

5
News

Universities Attacked by Phishing Campaign

6
News

Cybercrime Costs World Economy over 1% of Global GDP

1
News

Orca Security Nets $55m Series B Funding

2
News

One in Five Online Marketplace Listings Show Signs of Fraud

3
News

Most Victim Organizations Suffer Second Intrusion Within a Year

4
Editorial

Director’s Cut (Q4 2020 Issue)

5
News

Former NCSC CEO Ciaran Martin Joins SBRC Board

6
News

Thales and Google Cloud Partner for External Encryption Key Management

1
Webinar

Managing Security and Risk in a Microsoft 365 Environment

2
Webinar

Risk-Based Security for Your Organization: What You Need to Know

3
Webinar

Putting People First: Overcoming Human Error in Email Security

4
Webinar

Enabling Secure Access: Anywhere, Any Device and Any Application

5
Webinar

Automated Change: Fulfilling Network Security Requirements and Business Needs

6
Webinar

Insider Risk Maturity Models: Tales from the Insider Crypt

1
News Feature

#IFAW2020: Fighting Back Against Rising Fraud During #COVID19

2
Blog

Solving the Global Cybersecurity Skills Gap in Two Simple Steps

3
Interview

#IFAW2020 Interview: David Britton, VP of Industry Solutions, Experian

4
Webinar

How to Mitigate Insider Threats in the Current Technology Landscape

5
Opinion

#HowTo Master Cybersecurity Training with a Third Party

6
Interview

Interview: Richard Betts and Eward Driehuis, Cybersprint