July 30, 2024 at 02:12AM
VMware ESXi hypervisors have been targeted by ransomware groups exploiting a recently patched security flaw, CVE-2024-37085, to gain elevated permissions and deploy file-encrypting malware. The flaw allows unauthorized administrative access, with attacks observed by various ransomware operators. Organizations are advised to update software, enforce two-factor authentication, and prioritize asset protection and backup plans.
Summary of Meeting Notes:
– A security flaw in VMware ESXi hypervisors (CVE-2024-37085) has been actively exploited by multiple ransomware groups to gain elevated permissions and deploy file-encrypting malware.
– The flaw involves an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host by re-creating or renaming the configured AD group “ESXi Admins.”
– Ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this technique to deploy Akira and Black Basta.
– One attack involved using QakBot infection and exploiting a flaw in the Windows Common Log File System (CLFS) Driver for privilege escalation, followed by lateral movement and deploying Black Basta.
– UNC4393 has used initial access obtained via ZLoader to deliver Black Basta, primarily through malvertising, instead of phishing for initial access.
– Persistent malware like ZLoader has been under active development, with new variants propagated via a PowerShell backdoor known as PowerDash.
– Recent ransomware attacks have leveraged known weaknesses in Fortinet and Veeam Backup & Replication software for initial access.
– Qilin ransomware, originally developed in Go, has been redeveloped using Rust and is known for self-propagation across a network.
– It also utilizes a tool called Killer Ultra to disable EDR software and clear Windows event logs to remove indicators of compromise.
– Organizations are advised to install software updates, practice credential hygiene, enforce two-factor authentication, and implement monitoring procedures and backup & recovery plans for critical assets.
Please let me know if you need any further information or if there are specific actions to be taken as a result of these meeting notes.