Heimdal
article featured image

Contents:

Microsoft researchers revealed that ransomware threat groups exploit the VMware ESXi vulnerability CVE-2024-37085 for mass encryption.

The researchers discovered the VMware ESXi authentication bypass vulnerability on June 25. After that, VMware released a fix in the ESXi 8.0 U3 version. CISA

This flaw enables hackers with high privileges to add a new user to the ‘ESX Admins’ group which will gain automatically full admin privileges.

Researchers found three methods that hackers can use to exploit CVE-2024-37085:

  • Adding the “ESX Admins” group to the AD domain and adding a user to it
  • Renaming any group in the AD domain to “ESX Admins” and adding a user to the group or use an existing group member
  • ESXi hypervisor privileges refresh

For the moment, only the first one was observed being exploited in the wild. Ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest used it to deploy Akira and Black Basta ransomware.

What is the impact of the VMware ESXi vulnerability?

Since exploiting requires to previously compromise the device and gain high privileges to escalate to full privileges, the flaw got a mediul severity – 6.8- CVSS score.

However, according to Microsoft’s new report and CISA’s new alert:

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Source – CISA alert

In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

Source – Microsoft’s report

At the moment, both Microsoft and CISA recommend ESXi server administrators to update their devices to the latest version.

How to patch and close vulnerabilities faster?

Some System Administrators rely on the CVSS score when prioritizing patching vulnerabilities. As you can see, even medium severity vulnerabilities can pose huge risks.

While the number of known vulnerabilities grows constantly, patch management became one of the System Administrators’ greatest challenges.

To keep up with patching and close vulnerabilities before hackers get to exploit them in your system, you need an automated patch management solution. You can check out Heimdal’s Patch and Assets Management and also subscribe for a free demo.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE