VMware is the latest company to confirm that its systems were breached in the recent SolarWinds attacks, but refused further operating attempts.
The company said the hackers made no effort to further exploit their access after deploying the now-pursued backdoor as Sunburst or Solarigate.
“[W]While we have identified limited cases of vulnerable SolarWinds Orion software in our internal environment, our internal investigation did not reveal any indications of exploitation, “the company said in a statement.
“This has been confirmed by SolarWinds’ own investigations so far,” VMware added.
VMware zero-day exploit is not used in recent high profile hacks
VMware also disputed media reports that a zero-day vulnerability in several VMware products reported by the NSA was used as an additional attack vector in addition to the SolarWinds Orion platform to compromise high-profile targets.
The vulnerability targeted as CVE 2020-4006 was publicly disclosed in November and addressed in early December.
The National Security Agency (NSA) issued an opinion three days later, after addressing the security flaw, saying that hackers in the Russian national state exploited the vulnerability to gain access to protected data on affected systems.
The reports were prompted by an alert issued by the US Cyber Security and Infrastructure Agency (CISA), which said the APT group behind the ongoing compromise campaign targeting US government agencies used more than one initial access vector.
“CISA has evidence of additional initial access vectors other than the SolarWinds Orion platform; however, they are still under investigation,” the agency said.
“Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the opponent with follow-up actions.”
However, VMware denied that the CVE-2020-4006 operations were used as an additional method to violate government agencies in the recent escalation of attacks.
“To date, VMware has not received any notification that CVE-2020-4006 has been used in conjunction with the SolarWinds supply chain compromise,” the company said.
Customers asked to correct the systems
While CVE-2020-4006 has not been abused in any of the breaches associated with the SolarWinds supply chain attack, VMware says all customers should apply security updates to affected products.
“VMware encourages all customers to apply the latest product updates, security patches and mitigations made available to their specific environment,” the company said.
“VMware strongly encourages all customers to visit VMSA-2020-0027 as a centralized source of information for CVE 2020-4006.”
FireEye is currently targeting the threat actor behind the SolarWinds supply chain attack as UNC2452, while Volexity has linked the activity to a threat actor targeted as Dark Halo.
Dark Halo operators have been behind several malicious campaigns between the end of 2019 and July 2020, according to Volexity, successfully targeting and violating the same US think tank three times in a row.
Unconfirmed media reports also cited sources linking these recent attacks to APT29 (aka Cozy Bear), a national state hacking group linked to the Russian Foreign Intelligence Service (SVR).
However, cybersecurity companies and researchers, including FireEye, Microsoft and Volexity, have not yet attributed these APT29 attacks at this time.