HomeWinBuzzer NewsMicrosoft Alerts on VMware ESXi Flaw Leading to Ransomware Attacks

Microsoft Alerts on VMware ESXi Flaw Leading to Ransomware Attacks

Ransomware gangs are exploiting a VMware ESXi vulnerability (CVE-2024-37085) to gain full control over affected systems.

-

Microsoft security teams have flagged that various ransomware operators are leveraging a flaw in VMware’s ESXi, cataloged as CVE-2024-37085, to achieve unauthorized management-level access. By utilizing this exploit, attackers can enroll a new user into the ‘ESX Admins’ group, thereby gaining comprehensive control over the ESXi hypervisor.

Technical Analysis of the Vulnerability

Microsoft researchers Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto, found the vulnerability and it was addressed with the ESXi 8.0 U3 update released on June 25. The oversight, which carries a CVSS 3.1 base score of 6.8, permits individuals with adequate Active Directory (AD) credentials to reinstate the ‘ESX Admins’ group after its deletion, allowing them full administrative oversight on an ESXi host using AD for its user management.

Groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been reported to exploit this specific vulnerability. For example, Storm-0506 utilized the flaw to install Black Basta ransomware on the ESXi hypervisors of a North American engineering company. The incursion began with access through a Qakbot malware infection, followed by privilege escalation via a Windows CLFS vulnerability (CVE-2023-28252).

Impact on Business Operations

Due to the potential for significant operational disruptions, ransomware groups have increasingly targeted ESXi hypervisors. Encrypting the files and backups on these platforms can lead to operational standstills with few recovery routes. Microsoft has highlighted three exploitation methods for CVE-2024-37085: adding the ‘ESX Admins’ group to the domain and inserting a user, renaming any domain group to ‘ESX Admins’ and adding a user, or employing an existing group member’s credentials to update ESXi hypervisor permissions.

VMware has acknowledged the flaw and issued advisory notes for users to mitigate the associated risks. Users should follow the recommended security measures provided by VMware to protect their systems. The ransomware group known as Play has also recently used an ESXi Linux locker as part of their campaigns, indicating a growing trend in similar attacks. Microsoft reports that these kinds of attacks on ESXi hypervisors have increased significantly over the past three years.

Last Updated on November 7, 2024 3:28 pm CET

SourceMicrosoft
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Mastodon