Security News > 2024 > July > Microsoft Says Ransomware Groups Are Exploiting the Newly-Patched VMware ESXi Flaw

A vulnerability in the ESXi hypervisor was patched by VMware last week, but Microsoft has revealed that it has already been exploited by ransomware groups to gain administrative permissions.

The vulnerability affects ESXi versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x., but patches were only rolled out for ESXi 8.0 and VMware Cloud Foundation 5.x. It has a relatively low CVSS severity score of 6.8.

On July 29, Microsoft's Threat Intelligence team released a report that claims CVE-2024-37085 has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest, and led to Akira and Black Basta ransomware deployments.

Microsoft said: "In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network."

"Any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group," Microsoft researchers wrote.

Recommendations for VMware ESXi operators Install the latest software updates released by VMWare on all domain-joined ESXi hypervisors.

News URL

https://www.techrepublic.com/article/microsoft-ransomware-groups-vmware-esxi-flaw/