InfoSecBulletin Cybersecurity for mankind
Microsoft’s threat intelligence team has reported that ransomware groups are exploiting a critical vulnerability in VMware’s ESXi hypervisors. This allows them to gain full administrative access to systems that are joined to a domain.
The flaw labeled CVE-2024-37085 with a severity score of 6.8 has been used by ransomware groups to spread data-extortion malware on business networks. This information comes from a recent warning issued by Redmond’s threat hunting teams.
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
ChatGPT Develops Exploit for CVEs Before Public PoCs Share
TP-Link Router Vulns Allow to Execute Malicious SQL Commands
SSL.com’s domain validation system’s bug found: Hacker exploited
Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals
Hackers Exploit Zoom’s Remote Control Feature for System Access
VMware, owned by Broadcom, released patches and workarounds last week. They warned that hackers could use them to gain unauthorized access and control over ESXi hosts. However, they did not mention any real cases of this happening.
“VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range,” VMware said.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” the company added.
Patches were released for ESXi 8.0 and VMware Cloud Foundation 5.x. No patches are scheduled for ESXi 7.0 and VMware Cloud Foundation 4.x.
Microsoft has reported that cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest have used the VMware ESXi vulnerability to spread ransomware.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” Microsoft said.
Microsoft documented a case where a North American engineering firm was hit by Black Basta ransomware. The attackers used CVE-2024-37085 vulnerability to gain higher access to the organization’s ESXi hypervisors.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it…[This] attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” the company warned.
VMware ESXi, also known as ES, is a type of hypervisor that gets installed directly on servers and separates them into multiple virtual machines.
