July 30, 2024 at 03:57PM
CISA orders U.S. FCEB agencies to secure servers against VMware ESXi vulnerability exploited in ransomware attacks. VMware fixed flaw CVE-2024-37085, allowing attackers to gain admin privileges. Ransomware gangs exploit this to steal data, move laterally, and encrypt ESXi. Agencies have 3 weeks to secure systems under directive BOD 22-01. CISA warns of significant risks and urges all organizations to prioritize fixing the flaw.
From the meeting notes, the key points are:
1. CISA has mandated Federal Civilian Executive Branch (FCEB) agencies secure their servers against a VMware ESXi authentication bypass vulnerability exploited in ransomware attacks.
2. The vulnerability, CVE-2024-37085, was discovered by Microsoft security researchers and fixed by VMware on June 25 with the release of ESXi 8.0 U3.
3. CVE-2024-37085 allows attackers to add a new user to the ‘ESX Admins’ group, potentially escalating to full administrative privileges.
4. Ransomware gangs, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, have exploited the CVE-2024-37085 vulnerability to deploy Akira and Black Basta ransomware.
5. Federal agencies have until August 20 to secure their systems against the exploitation of CVE-2024-37085, according to the binding operational directive (BOD 22-01) issued by CISA in November 2021.
6. CISA has warned that these vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Overall, the meeting notes emphasize the urgent need for FCEB agencies to address the CVE-2024-37085 vulnerability to prevent ransomware attacks and protect sensitive data.