An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

News | Dec. 7, 2020

Russian State-Sponsored Malicious Cyber Actors Exploit Known Vulnerability in Virtual Workspaces

The National Security Agency (NSA) released a Cybersecurity Advisory today detailing how Russian state-sponsored actors have been exploiting a vulnerability in VMware® products to access protected data on affected systems. This advisory emphasizes the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware® identity management products and provides further details on how to detect and mitigate compromised networks. 

Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace Infographic
Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace Infographic
Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace Infographic
Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace Infographic
Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace Infographic
Photo By: NSA Cybersecurity
VIRIN: 201207-D-IM742-1002

The products affected by this vulnerability are the VMware® Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, with specific product versions also identified in the VMware® advisory. The exploitation of this vulnerability first requires that a malicious actor have access to the management interface of the device. This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data. 

NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible. If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update. In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation/compromise/attack.

For a quick summary on how you can take action, take a look at our infographic.

For full details, please read the full advisory.