VMware Denies Its Software Used in SolarWinds Hack

VMware said its buggy products that were exploited by Russian state-sponsored hackers were not used in the SolarWinds supply chain attack. VMware said its buggy products that were exploited by Russian state-sponsored hackers were not used in the SolarWinds supply chain attack. “In addition, while we have identified limited instances of the vulnerable SolarWinds Orion software in our own internal environment, our own internal investigation has not revealed any indication of exploitation,” VMware said in a statement. “This has also been confirmed by SolarWinds own investigations to date.” On Dec. 7, the U.S. National Security agency issued a warning about Russian groups actively exploiting a vulnerability in some VMware endpoint and identity management products including some versions of its Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. VMware rolled out a patch for the command injection vulnerability, tracked as CVE-2020-4006, and in its advisory the NSA urged organizations to patch affected systems “as soon as possible.” It specifically encouraged the National Security System, Department of Defense, and Defense Industrial Base network administrators “to prioritize mitigation of the vulnerability on affected servers.” Just a day after the NSA issued a cybersecurity alert about the bug in some VMware products, FireEye disclosed that a “highly sophisticated threat actor” stole its internal hacking tools in what the cybersecurity vendor believes was a nation-state attack targeting its government customers. It turned out that the nation-state group inserted malicious code into a legitimate SolarWinds software update, and used the trojan to attack upwards of 18,000 SolarWinds customers — including FireEye, Microsoft, and multiple government agencies including departments of Defense, State, Homeland Security, Treasury, Commerce, and Energy and its National Nuclear Security Administration, as well as the National Institutes of Health. On Friday, Secretary of State Mike Pompeo confirmed what most suspected: Russia was “pretty clearly” behind the SolarWinds supply chain attack. The same day, cybersecurity researcher Brian Krebs reported that the hackers used other, non-SolarWinds products to attack U.S. targets including the VMware software vulnerability that it disclosed earlier this month. VMware, however, said it “received no notification that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.” In its statement, VMware encouraged all customers to apply security patches and updates and directed customers to VMSA-2020-0027 for information about CVE 2020-4006. “VMware remains committed to transparency and ensuring customer security is a top priority,” it said. Despite VMware’s denial that its products were used in conjunction with the SolarWinds breach, the virtualization giant’s shares dropped more than 5% late Friday after Krebs’ report.