A VMware vulnerability that allowed access to protected data and federated authentication abuse was used by the SolarWinds hackers to attack high-value targets, KrebsOnSecurity reported.
The U.S. National Security Agency (NSA) warned on Dec. 7 that a flaw in the software of Palo Alto, Calif.-based VMware was being used by Russian hackers to impersonate legitimate users on breached networks. In order to exploit this vulnerability, the NSA said hackers would need to be on the target’s internal network, which KrebsOnSecurity pointed out would have been the case in the SolarWinds hack.
VMware told CRN that it has received no notification or indication that this vulnerability “was used in conjunction with the SolarWinds supply chain compromise.” After being tipped off to the flaw by the NSA, VMware released a software update Dec. 3 to plug the security hole.
While some of VMware’s own networks used vulnerable versions of SolarWinds’ Orion network monitoring platform, the company told CRN that an investigation has thus far revealed no evidence of exploitation. VMware’s stock is down $7.47 (5.04 percent) to $140.63 per share since the KrebsOnSecurity report came out just after 1:30 p.m. ET Friday.
“While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation,” VMware said in a statement. “This has also been confirmed by SolarWinds’ own investigation to date.”
The NSA advisory came less than 24 hours before FireEye disclosed that it had suffered a security breach designed to gain information on some of the company’s government customers. SolarWinds said its CEO Kevin Thompson was told Saturday by a FireEye executive of the Orion backdoor, and soon discovered it had been the victim of a cyberattack that impact both Orion tools as well as its internal systems.
The only private-sector organizations flagged as having been compromised via SolarWinds are FireEye and Microsoft, with Reuters reporting the latter Thursday. Reuters also alleged that Microsoft’s own products were then used by Russian government hackers to further the attacks on other victims.
Microsoft told CRN Thursday the sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had “detected malicious SolarWinds binaries” in its environment. The U.S. government said Thursday it has evidence of additional initial access vectors beyond SolarWinds Orion, but noted those other intrusion methods are still being investigated.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Thursday it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.
One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.
Similarly, the NSA’s Dec. 7 report said exploiting the VMware Access and VMware Identity Manager products via “led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.”
Microsoft ADFS can be used to federate identities with VMware Identity Manager, the NSA wrote in a cybersecurity advisory issued yesterday. By abusing the federated authentication, the NSA said the hackers can abuse the trust established across the integrated components.
Adversaries target products like VMware Identity Manager to gain access to cloud services such as Microsoft Office 365, the NSA wrote yesterday. Once access is gained, the NSA said the hackers can monitor or exfiltrate emails and documents stored in Microsoft Office 365 environments.