Security News > 2020 > December > NSA: Russian state hackers exploit new VMware vulnerability to steal data
The National Security Agency warns that Russian state-sponsored threat actors are exploiting a recently patched VMware vulnerability to steal sensitive information after deploying web shells on vulnerable servers.
VMware released security updates to address the security bug on December 3rd after publicly disclosing the vulnerability two weeks ago and providing a temporary workaround that fully removes the attack vector and prevents exploitation.
In attacks exploiting CVE-2020-4006, the NSA observed the threat actors connecting to the exposed web-based management interface of devices running vulnerable VMware products and infiltrating organizations' networks to install web shells using command injection.
After deploying the web shells, the attackers steal sensitive data using SAML credentials to gain access to Microsoft Active Directory Federation Services servers.
The NSA did not name the Russian-backed APT group exploiting the VMware command injection vulnerability in ongoing attacks.
News URL
Related news
- Russian hackers use RDP proxies to steal data in MiTM attacks (source)
- Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-4006 | OS Command Injection vulnerability in VMWare products VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | 9.1 |