How VMware Exploits Contributed to SolarWinds Supply-chain Attack
Josh Huddleston, Pu Ji, Suman Bhunia, Joel Cogan
Abstract
This paper analyzes the part of VMWare in the multi-vector attack on SolarWinds. After infecting hundreds of companies’ networks through the supply-chain attack on SolarWinds, hackers were able to use a VMware exploit on a number of the infected networks to propagate their attack further. The adversary specifically targeted command injection, used after free and privilege escalation to access VMWare platforms. Although the hackers were not able to gain control of the machines, they were able to steal sensitive information. Without the VMware exploit, attackers may not have gotten access to the VMs and thus could not easily pivot to other servers. This paper provides details on the specific zero-day vulnerabilities used in this attack and outlines the possible defense against this attack.