Security News > 2020 > December > Kremlin hackers are right now exploiting security hole in VMware software to hijack systems, NSA warns

The NSA reckons Russian government hackers are actively abusing a critical security hole in VMWare's software to infiltrate victims' networks.

"Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication," a cybersecurity notice [PDF] published on Monday warns.

Specifically, the Kremlin's crews are apparently targeting CVE-2020-4006, aka VMSA-2020-0027, which VMWare described as a "Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address command injection vulnerability."

Essentially, if a miscreant knows a certain admin account password - such as by spear-phishing an IT staffer to get it - or guesses it through brute-force, and they can reach a vulnerable deployment over internet or network, they can run commands on the host system, hijack it, lift data from it, use it to access other computers, and so on.

The NSA warns that sysadmins may not be able to detect exploitation of the flaw by watching network traffic because "The activity occurs exclusively inside an encrypted transport layer security tunnel associated with the web interface." Server logs will likely pick something up, however.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/12/07/nsa_vmware_russia/