Security News > 2024 > July > Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability
![Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability](/static/build/img/news/ransomware-gangs-are-loving-this-dumb-but-deadly-make-me-admin-esxi-vulnerability-medium.jpg)
CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.
The vulnerability allows attackers who have the necessary privileges to create AD groups - which isn't necessarily an AD admin - to gain full control of an ESXi hypervisor.
"In this method, if the 'ESX Admins' group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group."
The final method Microsoft described pertains more to how the logic flaw persists even if a network admin assigns another AD group to manage the hypervisor.
Microsoft has seen Akira, Babuk, LockBit, and Kuiper ransomware variants also deployed following the exploitation of ESXi hypervisors, which have become a hot target for financially motivated cybercriminals in recent years.
"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," it said.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/07/30/make_me_admin_esxi_flaw/
Related news
- Linux version of TargetCompany ransomware focuses on VMware ESXi (source)
- Linux version of RansomHub ransomware targets VMware ESXi VMs (source)
- New Eldorado ransomware targets Windows, VMware ESXi VMs (source)
- New Ransomware Group Exploiting Veeam Backup Software Vulnerability (source)
- SEXi ransomware rebrands to APT INC, continues VMware ESXi attacks (source)
- New Linux Variant of Play Ransomware Targeting VMWare ESXi Systems (source)
- New Play ransomware Linux version targets VMware ESXi VMs (source)
- Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks (source)
- VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access (source)
- VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085) (source)