VMware Latest To Confirm Breach In SolarWinds Hacking Campaign

VMware is the latest company to confirm that it had its systems breached in the recent SolarWinds attacks but denied further exploitation attempts.

The company said that the hackers did not make any efforts to further exploiting their access after deploying the backdoor now tracked as Sunburst or Solarigate.

“[W]hile we have identified limited instances of the vulnerable SolarWinds Orion software in our own internal environment, our own internal investigation has not revealed any indication of exploitation,” the company said in a statement.

“This has also been confirmed by SolarWinds own investigations to date,” VMware added.

VMware zero-day exploit not used in recent high-profile hacks

VMware also disputed media reports that a zero-day vulnerability in multiple VMware products reported by the NSA was used as an additional attack vector besides the SolarWinds Orion platform to compromise high-profile targets.

The vulnerability tracked as CVE 2020-4006 was publicly disclosed in November and addressed during early December.

The National Security Agency (NSA) issued an advisory three days later, after the security flaw was addressed, saying that Russian nation-state hackers have been exploiting the vulnerability to gain access to protected data on impacted systems.

The reports have been prompted by an alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA) saying that the APT group behind the ongoing compromise campaign targeting US government agencies used more than one initial access vector.

Also Read: Letter of Consent MOM: Getting the Details Right

“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said.

“Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”

However, VMware denied that CVE-2020-4006 exploits were used as an additional method to breach government agencies in the recent surge of attacks.

“To date, VMware has received no notification that the CVE-2020-4006 was used in conjunction with the SolarWinds supply chain compromise,” the company said.

Customers urged to patch systems

While CVE-2020-4006 has not been abused in any of the breaches associated with the SolarWinds supply chain attack, VMware says that all customers should apply the security updates for affected products.

“VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment,” the company said.

“VMware strongly encourages all customers to please visit VMSA-2020-0027 as the centralized source of information for CVE 2020-4006.”

FireEye is currently tracking the threat actor behind the SolarWinds supply chain attack as UNC2452, while Volexity has linked the activity to a threat actor tracked as Dark Halo.

Dark Halo operators have been behind multiple malicious campaigns between late 2019 and July 2020 according to Volexity, targeting and successfully breaching the same US-based think tank three times in a row.

Unconfirmed media reports also cited sources connecting these recent attacks to APT29 (aka Cozy Bear), a nation-state hacking group linked to the Russian Foreign Intelligence Service (SVR).

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

However, cybersecurity companies and researchers including FireEye, Microsoft, and Volexity, have not yet attributed these attacks to APT29 at this time.