Hackers with ties to the Russian government are using a recently discovered command injection vulnerability in VMWare products to abuse access privileges and steal data, according to a new advisory by the National Security Agency.

The NSA notified the company and flagged the vulnerability as present in certain VMWare Linux and Windows-based products and devices, including Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector. A CVE submitted by VMWare in late November rated the vulnerability at a 7.2 out of 10 for severity and lists their Cloud Foundation and Suite Lifecycle Manager products as also being affected.  

The unknown group has access to an administrative configurator on network port 8443, and this particular vulnerability first requires password access to the web-based management tool. However, the account is “internal to the impacted products and the password is set at the time of deployment,” the VMWare CVE notes. Groups can obtain such account credentials in a variety of ways through spear phishing or purchase on the dark web.

After obtaining credentials and exploiting the vulnerability to inject commands, the attackers can set up web shells, generate bogus authentication assertions to Microsoft’s Active Directory and gain access to sensitive or protected data.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration," the NSA advises. “Otherwise, SAML assertions could be forged, granting access to numerous resources.”

Apart from timely patching, the NSA said two of the best ways to cut down on risk involve using a “strong and unique” password as well as ensuring the interface is not accessible from the internet.

The NSA notes that network-based indicators are “unlikely” to be effective at detecting exploitation since the activity “occurs exclusively inside an encrypted transport layer security tunnel associated with the web interface.” Organizations may have more success detecting potential compromise by tapping information from their server logs, where they might spot exit statements followed by three-digit numbers within the configurator. In addition to scouring networks for signs of exploitation or the presence of vulnerable products, NSA also advises organizations to pay attention to whether customers or partner networks are using them as well.

It’s not clear from the public advisory which Russian group is exploiting the flaws, who their specific victims might be or whether they are an APT group tied to Russian intelligence or foreign policy objectives. VMWare released a patch for the flaws on Nov. 23, and NSA strongly urged network administrators at the Department of Defense, other national security systems and defense contractors to make patching a top security priority.

The Russian government has long turned a blind eye to cybercriminal groups operating within its borders, so long as they tend to direct their activities towards victims outside the country and don’t interfere with the Kremlin’s larger geopolitical goals. Companies within the defense industrial base that make parts, components and technology for the U.S. military have been relentlessly targeted by foreign hacking groups aligned with Russia, China and other nations .  

That in turn has prompted agencies like NSA, which stood up a cybersecurity directorate last year, to become much more involved in the public notification and dissemination of security vulnerabilities to the private sector, as they did here in notifying VMWare.