Russian Hackers Target VMware Vulnerability, NSA Warns

 Russian cyber actors are exploiting a vulnerability in VMware Access and Identity Manager products to access protected data on affected systems, according to a National Security Agency (NSA) security advisory released this week.

The VMware vulnerability affects the following products:

• Workspace One Access
• Access Connector
• Identity Manager
• Identity Manager Connector

To exploit the VMware vulnerability, cyber actors must have access to a device’s management interface, NSA indicated. They can then forge security assertion markup language (SAML) credentials to request access to protected data.

How to Guard Against the VMware Vulnerability

NSA is urging National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware products as soon as possible. It offers the following recommendations to guard against the VMware vulnerability:

• Understand the Vulnerability: The VMware vulnerability requires password-based access to a web interface and allows cybercriminals to execute Linux commands. As such, system administrators should leverage multi-factor authentication (MFA) and other appropriate security measures to minimize the threat’s impact.
• Understand the Relevance: The VMware vulnerability enables cybercriminals to target customer and partner networks. Therefore, system administrators should identify any networks that could be affected by the vulnerability.
• Prioritize the Response: System administrators must identify which data can be accessed via vulnerable VMware products, assess the risk associated with data that cybercriminals could access and patch vulnerable products accordingly.

In addition, system administrators should review server logs and check and update service configurations to mitigate the VMware vulnerability, NSA stated. They also can leverage MFA for security credential services as needed.

State-Sponsored Hackers Steal FireEye Red Team Security Testing, Assessment Tools

 State-sponsored hackers have attacked FireEye and stolen the cybersecurity company’s Red Team penetration testing and assessment tools, FireEye disclosed in an SEC filing on December 8, 2020. FireEye is concerned the hackers will potentially use the stolen Red Team penetration testing tools to attack additional companies. As a precaution, the company is sharing countermeasures to help potential targets mitigate attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, issued this warning about the stolen FireEye tools.

FireEye CEO Kevin Mandia

Among the key FireEye disclosures in the SEC filing:

1. State Sponsored Actor?: The attacker was a “highly sophisticated cyber threat actor” whose “discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” CEO Kevin Mandia believes the atack involves a “nation with top-tier offensive capabilities.”

2. FireEye Tools Were the Specific Target: This attack specifically targeted FireEye, and used methods that “counter security tools and forensic examination.” Hackers attacked “used a novel combination of techniques not witnessed by us or our partners in the past.” The attacker targeted and accessed certain Red Team assessment tools that FireEye uses to test our customers’ security.

3. FBI, Microsoft Assist Investigation: FireEye is investigating the attack in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft.

4. Defending Against the Red Team Tools: FireEye is proactively “releasing methods and means to detect the use of our stolen Red Team tools.” The company doesn’t know if the attacker intends to use the Red Team tools or to publicly disclose them. FireEye has developed more than 300 countermeasures for customers and the community at large to use in order to minimize the potential impact of the theft of these tools.

5. No Additional Attacks So Far: FireEye has seen no evidence to date that any attacker has used the stolen Red Team tools, but continues to monitor for their use.

6. Customer Information Targeted, But Not Stolen: The attacker primarily sought information related to certain government customers. While the attacker was able to access some of FireEye’s internal systems, there’s no evidence (so far) that the attacker exfiltrated data from the company’s customer information, incident response or consulting engagements or the metadata collected by products in the dynamic threat intelligence systems. FireEye plans to contact customers directly if it discovers any information was detected.

7. More Details: If/when more details become available, FireEye will disclose the information via its corporate blog.