NSA: Russian hackers are targeting a VMware vulnerability to steal data

The bug could allow attackers to forge SAML credentials to access protected data

State-sponsored hackers from Russia are actively exploiting a software bug in multiple VMware enterprise products in efforts to access protected data, the US National Security Agency has warned.

The Agency said that hackers looking to exploit this specific vulnerability (CVE-2020-4006) would first need access to the management interface of the device. They could then eventually "forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data."

The NSA urged administrators of national security and defence systems to immediately patch their networks against the bug, and to take other appropriate steps to mitigate the risk of attack.

"[The] NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible," the advisory reads.

"If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update. In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation/compromise/attack."

CVE-2020-4006 was publicly disclosed in November, after the NSA identified it and reported it to VMware. The company warned that criminals could exploit the flaw to take control of vulnerable systems. The bug affects VMware Workspace One Access, VMware Workspace One Access Connector, VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), vRealize Suite Lifecycle Manager, and VMware Cloud Foundation.

At the time, VMware published workaround instructions to help admins mitigate the flaw on vulnerable machines.

CVE-2020-4006 is a command line injection bug that exists in the admin configurator of the affected VMware products. Attackers could use it to escalate privileges and run malicious commands on the host Windows and Linux operating systems. However, VMware found that a malicious actor would require valid credentials for the configurator admin account to successfully exploit the flaw.

VMware originally gave the bug a CVSSv3 severity score of 9.1 out of 10 and a severity rating of "critical". However, it revised the score to 7.2 and the severity rating to "important" after discovering the need for valid credentials.

The company released a security update to address the bug last week.

This is not the first time - even this year - that a US federal agency has issued an alert to warn organisations of foreign state-sponsored hacking attempts.

In August, the NSA and the Federal Bureau of Investigations (FBI) released a joint advisory, warning organisations that Russian threat actors were using the Drovorub malware to spy on Linux systems.

The agencies stated that hackers designed Drovorub to target Linux systems. It is allegedly part of cyber espionage operations being carried out by Russia's GRU.

In May this year, the NSA warned American organisations of a Russian hacking campaign that was attempting to exploit a bug in common email software to target private firms and organisations.