The NSA also recommends administrators ensure the web-based management interface is not accessible over the Internet. If not possible to apply the patch, it is important to ensure that strong, unique passwords are set to protect against brute force attempts to crack passwords. To prevent further exploits, they need to fix this as soon as possible. In attacks observed by the NSA, the hackers exploited the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), granting access to protected data. This is because a valid password must be used to even exploit the flaw but Russian threat actors have already used stolen credentials to access it. This critical flaw could have been overlooked easily by admins as the system only rated the threat with a CVSS V3 based score of 7.2/10 – a low score. VMWare released a patch to correct the vulnerability on Decemand also published information to help network defenders identify networks that have already been compromised, along with steps to eradicate threat actors who have already exploited the flaw. The flaw at hand is a vulnerable command-injection in the administrative configuration component – this can easily be exploited and used to execute commands with no barriers while accessing sensitive and important data. The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working.
0 kommentar(er)
