NSA Warns That Russian Hackers Are Targeting Virtual Workspaces

State-sponsored hackers from Russia were able to access protected data by exploiting a vulnerability in remote workspace platforms, according to the National Security Agency.

The NSA is not disclosing the victim entity or the nature of the data accessed. 

“Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication,”  reads an advisory NSA issued Monday. “NSA encourages National Security System, Department of Defense, and Defense Industrial Base network administrators to prioritize mitigation of the vulnerability on affected servers.”

VMware issued an updated patch Dec. 3 for the vulnerability, which affects six of its products and is ranked “important” in severity.  

According to the NSA, the vulnerability allowed attackers to make a command injection that led to the installation of a web shell and the generation of authentication assertions that were sent to Microsoft’s Active Directory Federation Services. Microsoft’s ADFS then granted access to the protected data.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” reads the NSA advisory. “Otherwise, [Secure Assertion Markup Language] assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.” 

The NSA noted that a password is necessary to access the web-based management interface of a device and thereby exploit the vulnerability and encouraged administrators to ensure those are strong and unique to lower the associated risks. 

The VMware advisory pointed to a description in the MITRE ATT&CK database of known ways attackers go about finding the necessary passwords.

“A variety of methods exist for compromising accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps),” according to MITRE.

The NSA warned that typical methods used for detecting intrusions connected to the vulnerability would not work because the activity happens within an encrypted transport security layer tunnel. But the agency said administrators can see indications of compromise in server logs—“an ‘exit’ statement followed by any 3-digit number, such as ‘exit 123,’” for example—and should follow incident reporting protocol if they do.