Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks
July 29, 2024
01:06 PM
Microsoft warns that ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability (CVE-2024-37085) in attacks. This medium-severity security flaw was discovered by Microsoft researchers and fixed with the release of ESXi 8.0 U3 on June 25.
The bug allows attackers to add a new user to an ‘ESX Admins’ group they create, which grants full administrative privileges on the ESXi hypervisor. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host by re-creating the configured AD group (‘ESXi Admins’ by default).
Several ransomware gangs exploit this vulnerability to escalate to full admin privileges on domain-joined hypervisors, allowing them to steal sensitive data, move laterally through networks, and encrypt file systems.
Microsoft has identified three tactics used to exploit the CVE-2024-37085 vulnerability: adding the ‘ESX Admins’ group to the domain and adding a user; renaming any group in the domain to ‘ESX Admins’ and adding a user or using an existing group member; or ESXi hypervisor privileges refresh (assigning other groups admin privileges will not remove them from the ‘ESX Admins’ group).
The vulnerability has been exploited in attacks by ransomware operators tracked as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, leading to Akira and Black Basta ransomware deployments.
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/