VMware confirms SolarWinds attack also affected its systems

VMware developers have confirmed that their systems were also compromised during the SolarWinds security incident. In its report, the company mentions that threat actors used their unauthorized access to inject the backdoor identified as Sunburst or Solarigate.

“We’ve identified some vulnerable SolarWinds Orion implementations in our own environment, although we haven’t detected any signs of exploitation,” the developer report says. On reports published in recent days mentioning that a zero-day failure was exploited in VMware to access SolarWinds Orion facilities, VMware considers these findings to be questionable.

Tracked as CVE-2020-4006, this vulnerability was publicly revealed in November and corrected in early December. In this regard, the National Security Agency (NSA) issued three security alerts after the failure was corrected, mentioning that some hacking groups linked to the Russian government would have exploited it to access confidential information.

Reports referred to by VMware developers were issued by the U.S. Agency for Cybersecurity and Infrastructure Security (CISA), which mentions that an advanced hacking group is behind these attacks: “We have additional access evidence in addition to the SolarWinds Orion platform, although this is still under investigation,” the Agency’s report says.    

“Not all organizations that received the backdoor through the SolarWinds update were attacked by threat actors; there is no evidence that CVE-20204006 exploits were used as an additional method to compromise the networks of affected organizations,” VMware believes.

Although the incidents associated with the SolarWinds supply chain have not detected the exploitation of CVE-2020-4006, developers strongly recommend installing security updates to prevent further exploitation attempts: “Customers who wear WMSA-2020-0027 are recommended for additional information on this issue,” the security alert says.