Security News > 2024 > July > Microsoft Says Ransomware Groups Are Exploiting the Newly-Patched VMware ESXi Flaw
![Microsoft Says Ransomware Groups Are Exploiting the Newly-Patched VMware ESXi Flaw](/static/build/img/news/microsoft-says-ransomware-groups-are-exploiting-the-newly-patched-vmware-esxi-flaw-medium.jpg)
A vulnerability in the ESXi hypervisor was patched by VMware last week, but Microsoft has revealed that it has already been exploited by ransomware groups to gain administrative permissions.
The vulnerability affects ESXi versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x., but patches were only rolled out for ESXi 8.0 and VMware Cloud Foundation 5.x. It has a relatively low CVSS severity score of 6.8.
On July 29, Microsoft's Threat Intelligence team released a report that claims CVE-2024-37085 has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest, and led to Akira and Black Basta ransomware deployments.
Microsoft said: "In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network."
"Any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group," Microsoft researchers wrote.
Recommendations for VMware ESXi operators Install the latest software updates released by VMWare on all domain-joined ESXi hypervisors.
News URL
https://www.techrepublic.com/article/microsoft-ransomware-groups-vmware-esxi-flaw/
Related news
- Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks (source)
- Linux version of TargetCompany ransomware focuses on VMware ESXi (source)
- Linux version of RansomHub ransomware targets VMware ESXi VMs (source)
- New Eldorado ransomware targets Windows, VMware ESXi VMs (source)
- SEXi ransomware rebrands to APT INC, continues VMware ESXi attacks (source)
- New Linux Variant of Play Ransomware Targeting VMWare ESXi Systems (source)
- New Play ransomware Linux version targets VMware ESXi VMs (source)
- VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access (source)
- VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085) (source)
- CISA warns of VMware ESXi bug exploited in ransomware attacks (source)