[BreachExchange] This is not a drill: VMware vuln with 9.8 severity rating is under attack

Mon Jun 7 14:57:09 EDT 2021

https://arstechnica.com/gadgets/2021/06/under-exploit-vmware-vulnerability-with-severity-rating-of-9-8-out-of-10/

A VMware vulnerability with a severity rating of 9.8 out of 10 is under
active exploitation. At least one reliable exploit has gone public, and
there have been successful attempts in the wild to compromise servers that
run the vulnerable software.

The vulnerability, tracked as CVE-2021-21985, resides in the vCenter
Server, a tool for managing virtualization in large data centers. A VMware
advisory published last week said vCenter machines using default
configurations have a bug that, in many networks, allows for the execution
of malicious code when the machines are reachable on a port that is exposed
to the Internet.

Code execution, no authentication required

On Wednesday, a researcher published proof-of-concept code that exploits
the flaw. A fellow researcher who asked not to be named said the exploit
works reliably and that little additional work is needed to use the code
for malicious purposes. It can be reproduced using five requests from cURL,
a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other
common Internet protocols.

Another researcher who tweeted about the published exploit told me he was
able to modify it to gain remote code execution with a single mouse click.

“It will get code execution in the target machine without any
authentication mechanism,” the researcher said.

I haz web shell

Researcher Kevin Beaumont, meanwhile, said on Friday that one of his
honeypots—meaning an Internet-connected server running out-of-date software
so the researcher can monitor active scanning and exploitation—began seeing
scanning by remote systems searching for vulnerable servers.

About 35 minutes later, he tweeted, “Oh, one of my honeypots got popped
with CVE-2021-21985 while I was working, I haz web shell (surprised it’s
not a coin miner).”

A web shell is a command-line tool that hackers use after successfully
gaining code execution on vulnerable machines. Once installed, attackers
anywhere in the world have essentially the same control that legitimate
administrators have.

Troy Mursch of Bad Packets reported on Thursday that his honeypot had also
started receiving scans. On Friday, the scans were continuing, he said. A
few hours after this post went live, the Cybersecurity and Infrastructure
Security Administration released an advisory.

It said: "CISA is aware of the likelihood that cyber threat actors are
attempting to exploit CVE-2021-21985, a remote code execution vulnerability
in VMware vCenter Server and VMware Cloud Foundation. Although patches were
made available on May 25, 2021, unpatched systems remain an attractive
target and attackers can exploit this vulnerability to take control of an
unpatched system."

Under barrage

The in-the-wild activity is the latest headache for administrators who were
already under barrage by malicious exploits of other serious
vulnerabilities. Since the beginning of the year, various apps used in
large organizations have come under attack. In many cases, the
vulnerabilities have been zero-days, exploits that were being used before
companies issued a patch.

Attacks included Pulse Secure VPN exploits targeting federal agencies and
defense contractors, successful exploits of a code-execution flaw in the
BIG-IP line of server appliances sold by Seattle-based F5 Networks, the
compromise of Sonicwall firewalls, the use of zero-days in Microsoft
Exchange to compromise tens of thousands of organizations in the US, and
the exploitation of organizations running versions of the Fortinet VPN that
hadn’t been updated.
Like all of the exploited products above, vCenter resides in potentially
vulnerable parts of large organizations’ networks. Once attackers gain
control of the machines, it’s often only a matter of time until they can
move to parts of the network that allow for the installation of espionage
malware or ransomware.

Admins responsible for vCenter machines that have yet to patch
CVE-2021-21985 should install the update immediately if possible. It
wouldn’t be surprising to see attack volumes crescendo by Monday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210607/22359586/attachment.html>