Security News > 2024 > July > Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability

CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.

The vulnerability allows attackers who have the necessary privileges to create AD groups - which isn't necessarily an AD admin - to gain full control of an ESXi hypervisor.

"In this method, if the 'ESX Admins' group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group."

The final method Microsoft described pertains more to how the logic flaw persists even if a network admin assigns another AD group to manage the hypervisor.

Microsoft has seen Akira, Babuk, LockBit, and Kuiper ransomware variants also deployed following the exploitation of ESXi hypervisors, which have become a hot target for financially motivated cybercriminals in recent years.

"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," it said.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/30/make_me_admin_esxi_flaw/