InfoSecBulletin Cybersecurity for mankind
Microsoft’s threat intelligence team has reported that ransomware groups are exploiting a critical vulnerability in VMware’s ESXi hypervisors. This allows them to gain full administrative access to systems that are joined to a domain.
The flaw labeled CVE-2024-37085 with a severity score of 6.8 has been used by ransomware groups to spread data-extortion malware on business networks. This information comes from a recent warning issued by Redmond’s threat hunting teams.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
VMware, owned by Broadcom, released patches and workarounds last week. They warned that hackers could use them to gain unauthorized access and control over ESXi hosts. However, they did not mention any real cases of this happening.
“VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range,” VMware said.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” the company added.
Patches were released for ESXi 8.0 and VMware Cloud Foundation 5.x. No patches are scheduled for ESXi 7.0 and VMware Cloud Foundation 4.x.
Microsoft has reported that cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest have used the VMware ESXi vulnerability to spread ransomware.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” Microsoft said.
Microsoft documented a case where a North American engineering firm was hit by Black Basta ransomware. The attackers used CVE-2024-37085 vulnerability to gain higher access to the organization’s ESXi hypervisors.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it…[This] attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” the company warned.
VMware ESXi, also known as ES, is a type of hypervisor that gets installed directly on servers and separates them into multiple virtual machines.
