Posted on December 19, 2020 at 3:24 PM

VMware Flaw Reportedly A Vector In Solarwinds Hack

A report from the KrebsOnSecurity revealed that the SolarWinds hackers took advantage of a vulnerability that enabled federated authentication abuse on the targets. However, the VMware team said they are not aware of the vulnerability.

Earlier in the week, the U.S. government cybersecurity agencies warned that the SolarWinds hackers got help from other vulnerabilities to launch their attacks.

One of those vulnerabilities has been discovered to be emanating from VMware, which has been confirmed by both the KrebsOnSecurity researchers and the U.S. National Security Agency.

According to the NSA, the Russian hackers are taking advantage of the vulnerability in VMware to impersonate authorized users on the victim networks.

The NSA said the hackers would need to be on the internal network of the targets to exploit the vulnerability, and KrebsOnSecurity said that may have been what happened with the SolarWinds hack.

However, VMware responded to the finding by saying that it didn’t have any indication or receive any notification that the vulnerability was utilized to hack the SolarWinds network.

When NSA informed VMware about the follow, the firm immediately released a software update on December 3 to still the vulnerability, saying it was only informed about the flaw by the NSA.

Threat actors bypassed multi-factor authentication

CISA also said the threat actors responsible for the SolarWinds hack were seriously concentrating on impersonating trusted personnel on targeted networks. And these crooks have found ways of bypassing multi-factor authentication (MFA) systems that protect networks they are targeting.

The advisory note from the NSA came less than 24 hours before the FireEye researchers revealed they discovered that the hackers have broken into the networks and made away with over 300 proprietary software tools.

The software tools were developed by SolarWinds to help clients secure networks. As a result, it leaves several customers of the firm at risk of attacks.

FireEye said the hacking incident was possible because the hackers were able to take advantage of the SolarWinds network. They planted a malicious code into the updates used by SolarWinds for users of the company’s Orion network management software.

In the advisory released by the NSA, the agency warned that an update is required “as soon as possible”, urging defense contractors, the Department of Defense, and the National Security System to make the safety of their security systems a high priority.

Although some of the networks of VMware utilized flawed versions of the SolarWinds Orion network, the company said its investigation shows there is no exploitation on its systems. “Our internal investigation has not revealed any indication of exploitation,” the company stated.

VMware’s stock sheds by 5.4%

It seems that the news about VMware’s link to the SolarWinds hack has already affected its stock price. Less than 24 hours after the news broke, VMware’s stock has shrunk in performance, falling 5.4%.

While some government organizations were compromised as a result of the SolarWinds hack, Microsoft and FireEye are the only private sector organizations affected.  The report also revealed that the Russian hackers even took advantage of the vulnerability and utilized Microsoft’s products to launch further attacks on other victims.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that the hackers are accomplishing their objectives by compromising the Security Assertion Markup Language (SAML).

Once they get this done, the threat actors create unauthorized but authentic tokens and present them to services that support the SAML tokes.

Afterward, the tokens can be utilized to access resources in hosted platforms like email accounts.

Microsoft said it also discovered the malicious factors in the SolarWinds binaries but said some of the reports about the incident are not a true representation of what actually happened.

CISA also said it has discovered that the threat actors are adding authentication tokens to highly sensitive Microsoft domain accounts. With the tokens, the hackers want to gain access to both hosted and on-premise resources.

The hackers sign certificates using file storage services, timecard systems, travel systems, hosted business intelligence applications, as well as hosted email systems, according to CISA.