A VMware flaw with a 9.8 severity rating is under active attack by threat actors. The flaw, disclosed and patched last month, allows code execution without authentication.
The barrage of cyberattacks and vulnerability announcements are not slowing down, despite many areas re-opening in full. The COVID-19 pandemic sparked a huge digital transformation boom, leading to an increase in cyberattacks worldwide. Threat actors know that businesses don’t take the time to ensure security thoroughly all the time, and they will use any weakness they can find. Even as the world begins to return to “normal” with people getting vaccinated, hackers are showing that they aren’t going anywhere. The latest threat, with a 9.8 severity rating, is a vulnerability in VMware software that allows attackers to execute code remotely without authentication.
The vulnerability is in the vCenter Server, which is a tool for managing virtualization in large data centers, and is tracked as CVE-2021-21985. VMware published an advisory on 5/25 when the vulnerabilities were discovered and patched. The advisory states, “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” The advisory also contains workarounds in the event the fix cannot be applied.
Since this advisory was posted, researchers have published proof-of-concept code and successful exploits using the vulnerability. It didn’t take long for threat actors to start scanning networks, hunting for exposed machines to take advantage. Remember, the vulnerability allows for remote code execution without authentication, so now a hacker can implant malware or other malicious code directly into your systems. They don’t have to wait for a user to click a link or for someone to jump through the hoops of a phishing scheme, they have direct access. Which is why the flaw is rated 9.8 on a 10 point scale.
The Cybersecurity and Infrastructure Security Administration released an advisory of its own: “CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.”
Most of the time, this is where we hammer home the fact that security can’t wait. It can’t be put off. This particular in-the-wild spur of activity happened within a week of the vulnerability and patch disclosure. Criminals are moving faster than businesses, making it incredibly difficult to keep up. In the last few months, we have seen many products used by large organizations come under attack. This is because large corporations have more data than small businesses, so when these vulnerabilities come to light, bad actors jump at the opportunity to make it beneficial.
Here’s the kicker to all of this. The more active these threat actors become, the more pressure is put on businesses to make effective changes. The problem is that security teams are already understaffed and overworked. Burnout in the tech industry is very real, and it’s instances like what we see today that can push people too hard. When employees burn out, their work suffers. The subpar quality they produce only serves to make extra work for someone else. And the cycle continues.
So what are business leaders to do? This security problem isn’t going anywhere, and certainly won’t slow down until there is meaningful legislation in place. Business leaders must support their security teams in every way possible. Train every employee on cybersecurity best practices and what to watch for, from the bottom to the top. Train them on password best practices. These are extra layers of security for the whole business, but they work to make your security team’s job a little bit easier. Bring in an expert or team of experts to supplement your team. Your employees already have their normal work on their plates, so bringing in help will save you money in the long run.
As always, unpatched machines must be updated as soon as possible. With active threats detected in the wild, and at least one of them successful, this is something that really cannot wait.