Ransomware Groups Exploit VMware ESXi Bug for Widespread Attacks

Several ransomware groups have been exploiting a vulnerability in VMware ESXi hypervisors that allows them to bypass authentication and rapidly deploy malware across virtual environments. Identified as CVE-2024-37085, this bug has been assigned a “medium” severity rating of 6.8 out of 10 on the CVSS scale. The rating reflects the need for attackers to have existing permissions in a target’s Active Directory (AD) to exploit it. 

The vulnerability, identified as CVE-2024-37085, has been assigned a “medium” severity score of 6.8 out of 10 on the CVSS scale. This score reflects the fact that attackers need existing permissions in a target’s Active Directory (AD) to exploit it.

However, if attackers have AD access, they can inflict substantial damage. The CVE-2024-37085 bug allows them to instantly elevate their ESXi privileges to the highest level, enabling the deployment of ransomware, data theft, lateral movement within the network, and more. 

Notably, groups such as Storm-0506 (also known as Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (also known as Scattered Spider) have utilized this vulnerability to distribute ransomware like Black Basta and Akira.

Broadcom has released a fix for the vulnerability, which is available on its website.

The vulnerability arises in scenarios where organizations configure their ESXi hypervisors to use AD for user management. By default, ESXi hypervisors grant full administrative access to any member of an AD domain group named “ESX Admins.” This oversig

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.