Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Microsoft researchers revealed that ransomware threat groups exploit the VMware ESXi vulnerability CVE-2024-37085 for mass encryption.
The researchers discovered the VMware ESXi authentication bypass vulnerability on June 25. After that, VMware released a fix in the ESXi 8.0 U3 version. CISA
This flaw enables hackers with high privileges to add a new user to the ‘ESX Admins’ group which will gain automatically full admin privileges.
Researchers found three methods that hackers can use to exploit CVE-2024-37085:
- Adding the “ESX Admins” group to the AD domain and adding a user to it
- Renaming any group in the AD domain to “ESX Admins” and adding a user to the group or use an existing group member
- ESXi hypervisor privileges refresh
For the moment, only the first one was observed being exploited in the wild. Ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest used it to deploy Akira and Black Basta ransomware.
What is the impact of the VMware ESXi vulnerability?
Since exploiting requires to previously compromise the device and gain high privileges to escalate to full privileges, the flaw got a mediul severity – 6.8- CVSS score.
However, according to Microsoft’s new report and CISA’s new alert:
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Source – CISA alert
In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.
Source – Microsoft’s report
At the moment, both Microsoft and CISA recommend ESXi server administrators to update their devices to the latest version.
How to patch and close vulnerabilities faster?
Some System Administrators rely on the CVSS score when prioritizing patching vulnerabilities. As you can see, even medium severity vulnerabilities can pose huge risks.
While the number of known vulnerabilities grows constantly, patch management became one of the System Administrators’ greatest challenges.
To keep up with patching and close vulnerabilities before hackers get to exploit them in your system, you need an automated patch management solution. You can check out Heimdal’s Patch and Assets Management and also subscribe for a free demo.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
