IBM Security QRadar

 View Only

How can QRadar help with VMware monitoring and the CVE-2021-21985 publication?

By Gladys Koskas posted Tue June 08, 2021 09:38 AM


Estimated reading time: 4 minutes

On June 4th, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert on the website about the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985. That CVE affects VMware vCenter and VMware Cloud Foundation systems.

Screenshot_2021-06-08_at_10_16_32.pngSource: VMware vSphere Blog -> VMSA-2021-0010: What You Need to Know

VMware published an advisory and announced a patch on the 25th of May, but the threat seems to be important enough that the US-CERT decided to advise users to proceed with the patching of their environment a few days later.

The vulnerability may lead to an exploit that gives the ability to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter.
This vulnerability is classified as critical, but we all know that patch management isn’t always as fast as we need it to be. So to act quickly you can download a few content extensions from the App Exchange and start monitoring your hypervisor infrastructure in QRadar.

For the monitoring of your VMware environment, go to the App Exchange, select the brand QRadar, filter on IBM Apps, and search for “vmware”

The IBM Security QRadar Content Extension for Hybrid Cloud Use Cases includes numerous rules applicable to VMware environments, including:

  • User Role Changed to High Privilege Role
  • User Role Changed to Low Privilege Role
  • High Privilege User Performing Suspicious Actions 
  • Suspicious Number of Modifications Made on Virtual Machines
  • Suspicious Number of Virtual Machines Created
  • Multiple Sensitive Virtual Machines Deleted within Short Period of Time
  • Multiple Virtual Security Devices Powered Off within Short Period of Time
  • Sensitive Virtual Machines Unavailable for a Long Period of Time

To learn more about the use cases covered by this content pack, you can read the dedicated Detect suspicious activity in your AWS, Azure, VMware and O365 environments blog talking about VM sprawl and suspicious privilege escalation as an example.

The IBM QRadar Custom Properties for VMware provides the 30 regexes you need to trigger the rules from the Hybrid Cloud Use Cases content extension without any additional work.

The vulnerability is related to the host where the vCenter is installed, and some of these logs are parsed by the Linux DSM, so another way that you can improve the monitoring of your environment is to install the Endpoint Content extension as well as the Linux Custom Properties Content extension, both also available on the App exchange.
This content pack is focused on suspicious administration tasks, privilege escalation, discovery activities, etc. To learn more about this content, the Endpoint monitoring essentials for QRadar blog is available to discuss about reconnaissance tools, ransomware, credential dumping and malicious activity hidden behind daily administration tasks.

All these packs can be quick hits and help improve the monitoring of your infrastructure by adding specific rules for known behaviour, but also "normal" events that become suspicious in a particular context.

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.