VMware vulnerability puts even more pressure on organizations relying on remote work

The National Security Agency (NSA) is warning that Russian state-sponsored hackers have been actively attacking a vulnerability in VMware products to steal data.

The ongoing VMware attacks take advantage of the security bug CVE-2020-4006, which is a command-injection flaw that allows attackers to execute commands on any OS running the vulnerable software.

The affected VMware products all relate to cloud infrastructure and identity management. They include VMware Workspace One Access, its predecessor, VMware Identity Manager, and VMware Cloud Foundation. VMware issued a security bulletin on Thursday with information on patches and workarounds that can be used to mitigate damage. And it’s not just VMware products that are under attack.

As if the pressure Covid19 is putting on organizations and employees who have shifted almost entirely to remote work wasn’t enough, a zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps has likely allowed attackers to execute arbitrary code just by sending a simple chat message aimed at compromising a victim’s system. The exploit automatically executes when the message has been seen. No user interaction required. Once that happens, hackers have access to private chats, files, private keys, and even personal data outside of Teams.

Worse still, the RCE is cross-platform, which means it’s not only affecting MS Teams for Windows (v1.3.00.21759), but also Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web (teams.microsoft.com). It also has the potential to be made wormable, which means it can easily be passed from one user to other users, threatening an entire channel.

Vulnerability scans are key to keeping your organization protected

With so many employees working remotely, it can be hard to use traditional network monitoring tools to flag potentially suspicious behavior. But the NSA notes that vulnerabilities like the VMware bug present a unique challenge regardless, because the malicious activity happens in encrypted connections to the web interface that aren’t clearly distinguishable from legitimate logins. Finding them is like looking for a needle in a haystack and time is definitely of the essence.

The NSA recommends that organizations comb their server logs for “exit statements” that can indicate suspicious activity. They also added that it’s important to regularly monitor authentication logs for anomalous authentications, especially successful ones that use established trusts but come from unusual addresses or include unusual properties.

These vulnerabilities are text-book examples of why continuous and timely vulnerability management is essential for the security of your corporate IT infrastructure.

Without proper tooling to help you identify, prioritize and remediate vulnerabilities, it’s nearly impossible (or prohibitively expensive) to patch the constantly growing number of them.

We know a trick or two about handling vulnerabilities, so definitely check out F-Secure Radar if you need help with vulnerability management. And if you’re worried about detecting attackers that have managed to get into your systems by exploiting unpatched vulnerabilities, check out F-Secure Rapid Detection and Response.