Security News
CISA has ordered U.S. Federal Civilian Executive Branch agencies to secure their servers against a VMware ESXi authentication bypass vulnerability exploited in ransomware attacks. Broadcom subsidiary VMware fixed this flaw discovered by Microsoft security researchers on June 25 with the release of ESXi 8.0 U3. CVE-2024-37085 allows attackers to add a new user to the 'ESX Admins' group-not present by default but can be added after gaining high privileges on the ESXi hypervisor-which will automatically be assigned full administrative privileges.
The Black Basta ransomware gang has shown resilience and an ability to adapt to a constantly shifting space, using new custom tools and tactics to evade detection and spread throughout a network. Black Basta is a ransomware operator who has been active since April 2022 and is responsible for over 500 successful attacks on companies worldwide.
Theoretically, the threat of ransomware would be more of a costly irritant than a catastrophe; the idea being that if you pay the ransom, the problem goes away. Research from McGrathNicol Advisory found that 73% of Australian organisations that experienced a ransomware attack in the past five years chose to pay the ransom.
The City of Columbus, Ohio, says it's investigating whether personal data was stolen in a ransomware attack on July 18, 2024 that disrupted the City's services. An update published on the City's website yesterday confirms that the City of Columbus suffered a ransomware attack that was successfully thwarted, and no systems were encrypted.
CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider. The vulnerability allows attackers who have the necessary privileges to create AD groups - which isn't necessarily an AD admin - to gain full control of an ESXi hypervisor.
Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system."ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network," Microsoft's threat analysts explained.
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "Several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. "A malicious actor with sufficient Active Directory permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group after it was deleted from AD," Broadcom-owned VMware noted in an advisory released in late June 2024.
Microsoft warned today that ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability in attacks. Ransomware groups have focused on creating lockers dedicated to encrypting ESXi VMs rather than targeting specific ESXi vulnerabilities that would provide them a quicker way of acquiring and maintaining access to a victim's hypervisors.
Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000. "Russian-speaking threat actors from across the former Soviet Union consistently drive most types of crypto-enabled cybercrime, from ransomware to illicit crypto exchanges and darknet markets," explains TRM. Ransomware is a form of cybercrime in which attackers steal and encrypt data on compromised systems and then demand a ransom payment in exchange for a decryption key and a promise to delete the stolen files.
The U.S. Department of Justice on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world. "Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea's illicit activities," said Paul Abbate, deputy director of the Federal Bureau of Investigation.