Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Cybercriminals are scanning for VMware vCenter servers vulnerable to severe remote code execution (RCE) bug affecting all vCenter deployments and patched by VMware ten days ago.
Last week, the threat intelligence company Bad Packets was the first to see the ongoing scanning activity, later corroborated by cybersecurity specialist Kevin Beaumont.
The flaw, tracked as CVE-2021-21985, is situated in the VCenter Server, an instrument for running virtualization in big data centers.
A VMware press release issued last week stated vCenter machines utilizing default configurations have a vulnerability that, in many networks, enables the implementation of malicious code when the machines can be reached on a port that is exposed to the Internet.
On Wednesday, a researcher published a proof-of-concept (PoC) code that exploits the vulnerability. Another specialist declared the exploit is able to be trusted and that little extra work is required to use the code for malicious purposes.
It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.
Thousands of vulnerable vCenter servers are reachable over the Internet at the moment, according to the Shodan search engine for Internet-connected devices.
Mass scanning activity detected from 104.40.252.159 (🇳🇱) checking for VMware vSphere hosts vulnerable to remote code execution (CVE-2021-21985).
Vendor advisory: https://t.co/D0aWkbQMPT#threatintel
— Bad Packets (@bad_packets) June 3, 2021
The security vulnerability can be remotely abused by unauthorized threat actors in less complicated attacks which don’t need user interaction.
Successful exploitation enables cybercriminals to assume control of a company’s entire network, seeing that IT departments and administrators use VMware vCenter servers to manage VMware solutions deployed across organization environments.
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.
Finally, Chinese speaking win the racehttps://t.co/MALLHMW4po
— Janggggg (@testanull) June 3, 2021
Following the release of security updates to address the bug tracked as CVE-2021-21985, VMware alerted that these updates mend a severe security flaw and it needs to be taken into consideration immediately.
The company also added that this bug can be employed by anyone who can reach vCenter Server over the network to obtain access, regardless of whether you use vSAN or not.
As we said before, vCenter lives in potentially unprotected parts of big companies’ networks. Once threat actors acquire control of the machines, it’s frequently just a matter of time before they can move to parts of the network that enable the installation of espionage malware or ransomware.
Multiple ransomware groups, including Darkside, RansomExx, and Babuk Locker have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space.
In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop, and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.
The organization also provides workaround measures created to eliminate the attack vector and chance of exploitation by setting the affected plug-ins to “incompatible” for those who cannot instantly carry out the security updates.
Admins in charge of vCenter machines that have yet to patch CVE-2021-21985 should install the update as quickly as possible.
Our Automated Heimdal™ Patch & Asset Management solution will automatically install updates based on your configured policies, without the need for manual input. As soon as 3rd party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption.
Heimdal® Patch & Asset Management Software
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.
