← Back to Security Blog
보안 브리핑 8분 읽기

VMware 익스플로잇 확산, OAuth 피싱 급증 & LexisNexis 침해

Published: 2026-03-04

CISA flags VMware Aria Operations RCE as actively 익스플로잇ed. Microsoft exposes a sophisticated OAuth redirect attack bypassing MFA. LexisNexis confirms hackers stole 2GB of data including government employee records. Plus: Akzo아니오bel hit by Anubis 랜섬웨어 and fake IT support campaigns deploy Havoc C2.


🔴 치명적: VMware Aria Operations 활성 공격 중

CVE-2026-22719 — PATCH IMMEDIATELY

CISA has added a VMware Aria Operations command injection 취약점 to its Known 악용 Vulnerabilities (KEV) catalog. 이 취약점은 allows unauthenticated attackers to execute arbitrary commands, leading to full 원격 코드 실행(RCE).

CVSS 점수: 8.1 (높음)  |  Deadline: March 24, 2026 for federal agencies

The 취약점 exists in the migration service component of VMware Aria Operations. During support-assisted product migration, an unauthenticated actor can inject commands that run as root via a sudoers misconfiguration in vmware-casa-workflow.sh.

Broadcom released patches on February 24 along with a temporary 임시 해결책 script (aria-ops-rce-임시 해결책.sh) that disables the vulnerable migration components. The company acknowledged reports of active 익스플로잇ation but stated it "cannot independently confirm their validity."

Also patched in VMSA-2026-0001:

CVEType영향
CVE-2026-22719Command InjectionUnauthenticated RCE
CVE-2026-22720Stored XSSSession hijacking
CVE-2026-22721권한 상승Admin access

🟠 OAuth 리다이렉트 남용: 대규모 MFA 우회

Microsoft Defender researchers have uncovered a sophisticated campaign where 위협 행위자s abuse the legitimate OAuth 2.0 redirect mechanism to bypass email and browser 피싱 protections. The attacks primarily target government and public-sector organizations.

How the attack works:

  1. Lure delivery: Phishing emails disguised as e-signature requests, SSA notices, or meeting invites contain OAuth redirect URLs
  2. Silent auth failure: Attackers register malicious OAuth apps with invalid scopes and prompt=none, forcing authentication errors
  3. Redirect hijack: The identity provider redirects victims to 공격자는-controlled redirect URI
  4. 자격 증명 탈취: EvilProxy attacker-in-the-middle frameworks intercept session cookies, bypassing MFA

In some variants, victims are redirected to a /download path that auto-delivers ZIP files containing malicious .LNK files. These launch PowerShell for reconnaissance before DLL side-loading deploys the final 페이로드.

Key takeaway: This attack abuses intended behavior in the OAuth framework. The error handling mechanism works exactly as the standard specifies — attackers simply weaponize the redirect flow.


🔴 LexisNexis 침해: 정부 데이터 노출

Legal data giant LexisNexis Legal & Professional has confirmed hackers breached its AWS infrastructure on February 24 by 익스플로잇ing the React2Shell 취약점 in an unpatched React frontend application.

Threat actor "FulcrumSec" leaked 2GB of structured data from the breach, claiming access to:

LexisNexis stated the compromised data was "mostly legacy, deprecated data from prior to 2020" and did not include SSNs, financial information, or active passwords. The company says the intrusion has been contained.


🟠 Anubis 랜섬웨어, Akzo아니오bel 공격

Dutch paint and coatings giant Akzo아니오bel ($12B+ revenue, 35,000 employees, 150+ countries) confirmed a network breach at one of its U.S. sites. The Anubis 랜섬웨어 gang claims to have exfiltrated 170GB of data including:

Anubis, a RaaS operation active since December 2024, offers affiliates 80% of ransom payments and added a destructive data wiper capability in mid-2025.


🟡 가짜 IT 지원으로 Havoc C2 프레임워크 배포

Huntress researchers identified a campaign across five organizations where attackers masquerade as IT support staff to deploy the Havoc 명령 및 제어(C2) framework. The playbook closely mirrors tactics used by former Black Basta 랜섬웨어 affiliates:

  1. Email bomb the target's inbox with spam
  2. Call pretending to be IT support offering help
  3. Deploy Havoc Demon 페이로드s and legitimate RMM tools
  4. Move laterally — in one case, 9 endpoints compromised in 11 hours

The speed of 횡적 이동 suggests end goals of 데이터 유출 or 랜섬웨어 deployment.


📊 한눈에 보는 추가 헤드라인

기사영향
Iranian strikes on AWS data centers in UAEPhysical infrastructure 취약점 exposed; two facilities directly struck
University of Hawaii Cancer Center breach1.2M individuals affected; SSNs, health data, voter records stolen
Quantum RSA breakthroughNew algorithm suggests RSA decryption feasible sooner than expected
Android Qualcomm zero-day patchedInteger overflow in graphics component leads to 메모리 손상
SloppyLemming targets Pakistan & BangladeshDual 악성코드 chains targeting government infrastructure
Facebook worldwide outageAccounts unavailable globally on March 3

KENSAI가 보호하는 방법

Real-time CVE 모니터링ing — CVE-2026-22719 indexed and flagged within hours of KEV addition

OAuth Attack Detection — 모니터링 suspicious OAuth app registrations and redirect patterns

Cloud Infrastructure Scanning — Detect React2Shell and similar web app 취약점 before attackers do

Ransomware Readiness — Continuous exposure management against threats like Anubis RaaS


권장 조치

  1. 즉시: Patch VMware Aria Operations or apply the 임시 해결책 script for CVE-2026-22719
  2. 즉시: Audit OAuth application registrations in your Entra ID tenant
  3. 오늘: Check React/아니오de.js frontends for React2Shell 취약점
  4. 이번 주: Review Conditional Access policies and restrict OAuth app consent
  5. 지속: Train staff on fake IT support 소셜 엔지니어링 tactics

Protect Your Organization with Kensai

AI-powered 취약점 management with 335,000+ CVEs indexed.

Start Free Trial

안전하게. 경계하며.

🗡️ KENSAI 보안팀