July 29, 2024 at 02:48PM
Ransomware groups are exploiting a critical vulnerability (CVE-2024-37085) in VMware ESXi hypervisors to gain full administrative access on domain-joined systems. Microsoft warns that known cybercriminal groups have already exploited this flaw to deploy ransomware. The issue was not initially recognized as being exploited in the wild when VMware released patches.
Key takeaways from the meeting notes:
VMware’s critical vulnerability in ESXi hypervisors, tagged as CVE-2024-37085 with a CVSS severity score of 6.8, has been exploited by ransomware groups to gain full administrative access on domain-joined systems.
Microsoft’s threat intel team has issued a warning that the flaw is being actively abused by multiple known ransomware groups to deploy data-extortion malware on enterprise networks.
In a documented case, a North American engineering firm was affected by a Black Basta ransomware deployment that utilized the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization, resulting in encrypting the ESXi file system and losing functionality of the hosted virtual machines.
Microsoft has observed an increase in the number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting of ESXi hypervisors over the last three years.
VMware released patches for ESXi 8.0 and VMware Cloud Foundation 5.x, while no patches are planned for ESXi 7.0 and VMware Cloud Foundation 4.x.
The in-the-wild exploitation of this vulnerability by known cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest has been confirmed by Microsoft.