Microsoft warns ransomware gangs are hitting VMware flaw that lets them become admins
A patch is available, so apply immediately, Microsoft says
Ransomware gangs are actively exploiting a vulnerability in VMware ESXi hypervisors to deploy encryptors and wreak havoc among victim organizations, experts have warned.
In a blog post covering the issue, Microsoft claimed VMware’s ESXi was vulnerable to an authentication bypass flaw that allowed ransomware operators to obtain full administrative permissions on domain-joined hypervisors. The vulnerability is tracked as CVE-2024-37085, and has a severity score of 6.8 (medium), according to the NVD.
The vulnerability “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft explained.
Storm-0506 and others
The Redmond giant notified VMware of its findings, and the company came back with a patch on June 25, BleepingComputer reported.
Since ransomware actors were observed actively exploiting the vulnerability to deploy encryptors, Microsoft urges all users to apply the patch immediately.
The company added in its report it had seen the Storm-0506 criminal gang deploying a variant of the Black Basta ransomware against an engineering firm in North America recently, and “during this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.”
Storm-0506 is a threat actor that was seen deploying Black Basta ransomware in the past, as well. Black Basta is one of the most proficient ransomware-as-a-service actors out there, most likely spawned from the defunct Conti organization. But Storm-0506 is not the only threat actor Microsoft mentions in its report - Storm-1175, Octo Tempest, Manatee Tempest, were all said to be selling and supporting ESXi encryptors, including Akira, Babuk, Lockbit, and Kuiper.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” the company concluded.
VMware ESXi is a hypervisor that enables the creation and management of multiple virtual machines on a single physical server, providing a platform for virtualization and efficient resource utilization. It is quite popular in the enterprise, which also made it a major target for cybercriminals.
More from TechRadar Pro
- Microsoft disables one of its own software tools following multiple malware attacks
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.