VMWare releases an urgent security advisory recommending that users update VMware ESXI and VCenter servers to patch new security vulnerabilities. We have provided mitigation recommendations on how to protect yourself from this attack and separately, auditing and assessment recommendations on how to assess whether compromise has occurred.
A malicious actor with network access to VMware servers over port 443 is able to execute commands on the host system with unrestricted privileges. This can be performed against public–facing servers over the internet.
Ease of exploit
Attackers require no prior knowledge of a company’s estate to perform this attack. Scans of public–facing VMware servers have already been observed in the wild, with a quick search of shodan.io providing attackers with a list of vulnerable web-facing targets. Multiple “proof-of-concept” repositories have been released to the internet, accessible for anyone to use, even unskilled actors.
Apply relevant updates or patches
VMware’s security advisory includes all relevant updates/patch notes for affected versions of VMware products. We recommend that organisations apply the relevant updates ASAP, prioritising web–facing systems.
Locking down access
Secrutiny recommends that customers limit network access to web–facing servers to known IPs, ideally only users on corporate VPNs or working within corporate offices if possible.
Limit servers’ access to critical assets
VMWare servers are purpose-built and often do not need access to the majority of assets within an estate all the time. Zero trust policies should be deployed within the estate to ensure that servers only have access to the data and systems they need, limiting the potential for hackers to pivot from trivial exploits against public–facing servers to accessing sensitive resources.
Assessing the Extent of Potential Compromise
Customers should audit network access to their VMware servers from public IPs, taking note of any unknown IPs or access from unexpected countries or organisations. On the flip side of this, if customers see strange outbound connections from their VMware servers, this could indicate stage 2 compromise with malicious payloads or tools being deployed to the server.
System activity auditing (EDR software)
Customers should utilise any auditing logs they have available for user/process activity on the affected systems. For example, EDPR software should have a record of any strange or unexpected commands/processes being run by VMware software on devices. For example, proof-of-concept code utilises the “whoami” command to test vulnerable servers. Instances of discovery commands like these being run by VMware processes could be an indicator of the vulnerabilities being exploited.
User Behavioural Monitoring
Initial exploitation of the vulnerabilities in question gives attackers a foothold into an estate, with the ability to run discovery commands and gather intel. However, to expand the scope of their compromise and exfiltrate data, they would need to compromise further accounts or systems and pivot across an estate. Users connecting to unexpected systems, or VMware servers authenticating to unexpected assets within an estate, could be a key indicator of this.
Should any of our customers have any concerns, please do not hesitate to contact the Secrutiny SOC via firstname.lastname@example.org or 0203 7467 007.