Cyber Incident Victim: VMware
Date:
Dec 2020
Location:
United States of America
Summary
VMware confirmed a breach linked to the SolarWinds supply-chain attack, identifying limited instances of the compromised Orion software in its environment but found no evidence of subsequent exploitation by the threat actors. The company disputed media claims that a separate VMware vulnerability (CVE-2020-4006), previously patched before the NSA disclosed its exploitation by Russian state-sponsored hackers, served as an additional attack vector in the campaign. While U.S. cybersecurity authorities acknowledged evidence of initial access methods beyond the SolarWinds platform, investigations into these vectors remained ongoing at the time of reporting. The incident highlighted the broader targeting of organizations through the Orion backdoor, though not all compromised entities experienced follow-on malicious activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 21, 2020, VMware confirmed it had experienced a breach as part of the SolarWinds supply chain attack campaign. The company identified limited instances of the compromised SolarWinds Orion software within its internal environment but stated its investigation revealed no evidence that attackers exploited these systems after deploying the Sunburst (Solarigate) backdoor. VMware emphasized that the adversaries did not attempt further malicious activities following the initial deployment of the backdoor, a conclusion corroborated by SolarWinds' own ongoing investigations at the time. The company also refuted media reports suggesting a separate VMware vulnerability (CVE-2020-4006) served as an additional attack vector in the campaign. This critical authentication bypass flaw affecting multiple VMware products had been publicly disclosed in November 2020 and patched by early December, prior to the NSA's December 7 advisory linking it to Russian state-sponsored exploitation. VMware clarified there was no evidence connecting CVE-2020-4006 to the SolarWinds incident timeline.
The Cybersecurity and Infrastructure Security Agency (CISA) acknowledged investigating potential initial access vectors beyond the SolarWinds Orion platform but provided no conclusive findings regarding alternative compromise methods during VMware's disclosure period. VMware noted that not all organizations compromised via the SolarWinds backdoor faced subsequent adversary actions, aligning with its own experience of limited post-intrusion activity. In response to the breach, VMware urged customers to implement all available security updates, patches, and mitigations for their environments, specifically directing them to advisory VMSA-2020-0027 for authoritative guidance on addressing CVE-2020-4006. The company maintained this vulnerability disclosure as the central resource for customers despite confirming its unrelatedness to the SolarWinds campaign. VMware's disclosure emphasized containment through existing patches while distinguishing between the confirmed SolarWinds-related breach and unsubstantiated claims regarding secondary exploitation vectors involving its products.