Russian state-sponsored threat actors are in the spotlight this week.

The vulnerability, labeled as CVE-2020-4006, is impacting VMware’s product, Workspace ONE.

VMware claims it streamlines the journey for organizations to become digital businesses that deliver better experiences to their customers and empower employees to do their best work.

The threat actors can gain network access to the administrative configurator on port 8443. With a valid password for the configurator admin account, the threat actor can execute commands with unrestricted privileges on the underlying operating system.

TCP (Transmission Control Protocol) port 8443 guarantees delivery of data and also guarantees that packets will be delivered on port 8443 in the same order in which they were sent.

This issue has been listed as important and given a CVSSv3 base score of 7.2.

The National Security Agency reported the vulnerability to VMware. VMware made the vulnerability public on Nov. 23. Based on this timeline, it looks as if the vulnerability had been exploited before it could be patched. As a result, the threat actors were able to obtain sensitive data.

The exploit was through command injection, which led to the installation of a web shell. Credentials in the form of SAML authentication, which is the process of verifying the user’s identity and credentials, was generated and sent to Microsoft®9 Active Directory Federation Services (ADFS).

Utilize a unique and strong password and avoid making certain interfaces available to the internet to reduce the risk of exploitation.

Many organizations fail to keep up with software patches and others have a delay in applying patches due to fears of breaking internal systems and/or applications.

It is important to stay cognizant of emerging threats, your organization’s risk profile, and ensuring your vulnerability management program is up to date.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.