The National Security Agency (NSA) released a cybersecurity alert on Dec. 7 warning that state-sponsored hackers based in Russia have been attacking remote workspaces and exploiting a vulnerability in a suite of VMware products.
According to NSA, VMware issued a patch for the vulnerability on Dec. 3. While affected parties were not named, NSA called out several defense and intelligence-related groups in its advisory.
“Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication,” the alert states. “NSA encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers.”
Before being noticed and patched, the hackers used the vulnerability to create their own credentials in the system and access protected information, NSA said. It recommended immediately updating to the latest version of the workspace software, as well as taking a look at the file index to try to detect any exit statements.
Hackers utilizing the backdoor need authenticated password access to the workspace software. The NSA recommends creating strong unique passwords to make it harder to exploit the vulnerability. Offline systems were less likely to be affected, NSA said.