Security News > 2024 > July > Microsoft Says Ransomware Groups Are Exploiting the Newly-Patched VMware ESXi Flaw

Microsoft Says Ransomware Groups Are Exploiting the Newly-Patched VMware ESXi Flaw
2024-07-31 17:52

A vulnerability in the ESXi hypervisor was patched by VMware last week, but Microsoft has revealed that it has already been exploited by ransomware groups to gain administrative permissions.

The vulnerability affects ESXi versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x., but patches were only rolled out for ESXi 8.0 and VMware Cloud Foundation 5.x. It has a relatively low CVSS severity score of 6.8.

On July 29, Microsoft's Threat Intelligence team released a report that claims CVE-2024-37085 has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest, and led to Akira and Black Basta ransomware deployments.

Microsoft said: "In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network."

"Any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group," Microsoft researchers wrote.

Recommendations for VMware ESXi operators Install the latest software updates released by VMWare on all domain-joined ESXi hypervisors.


News URL

https://www.techrepublic.com/article/microsoft-ransomware-groups-vmware-esxi-flaw/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-06-25 CVE-2024-37085 Improper Authentication vulnerability in VMWare Cloud Foundation and Esxi
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
network
low complexity
vmware CWE-287
7.2

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400
Vmware 146 11 222 256 102 591