Security News

CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider. The vulnerability allows attackers who have the necessary privileges to create AD groups - which isn't necessarily an AD admin - to gain full control of an ESXi hypervisor.

Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system."ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network," Microsoft's threat analysts explained.

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "Several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. "A malicious actor with sufficient Active Directory permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group after it was deleted from AD," Broadcom-owned VMware noted in an advisory released in late June 2024.

Microsoft warned today that ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability in attacks. Ransomware groups have focused on creating lockers dedicated to encrypting ESXi VMs rather than targeting specific ESXi vulnerabilities that would provide them a quicker way of acquiring and maintaining access to a victim's hypervisors.

Play ransomware is the latest ransomware gang to start deploying a dedicated locker for encrypting Linux devices and specifically targeting VMware ESXi virtual machines. [...]

Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play that's designed to target VMWare ESXi environments. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The SEXi ransomware operation, known for targeting VMware ESXi servers, has rebranded under the name APT INC and has targeted numerous organizations in recent attacks. The ransomware operation was given the name SEXi based on the SEXi.txt ransom note name and the.

A new ransomware-as-a-service called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows. Eldorado is a Go-based ransomware that can encrypt both Windows and Linux platforms through two distinct variants with extensive operational similarities.

The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. The existence of a Windows and Linux RansomHub encryptor has been confirmed since early May. Recorded Future now reports that the threat group also has a specialized ESXi variant in its arsenal, which it first saw in April 2024.

A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named 'Reptile' and 'Medusa' to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement. A new report by Mandiant unveils UNC3886's use of the mentioned rootkits on virtual machines for long-term persistence and evasion, as well as custom malware tools such as 'Mopsled' and 'Riflespine,' which leveraged GitHub and Google Drive for command and control.