July 29, 2024 at 01:12PM
Microsoft alerted of ransomware gangs exploiting VMware ESXi authentication bypass vulnerability, allowing attackers to gain full admin privileges. This flaw, CVE-2024-37085, was discovered by Microsoft researchers and patched in ESXi 8.0 U3 last month. The vulnerability has been exploited in ransomware attacks by various groups, leading to data theft and system encryption.
From the meeting notes, the key takeaways are:
– Microsoft has warned about ransomware gangs actively exploiting a VMware ESXi authentication bypass vulnerability, tracked as CVE-2024-37085, which was discovered by Microsoft security researchers and patched in June.
– The security flaw allows attackers to gain full administrative privileges on the ESXi hypervisor by adding a new user to an ‘ESX Admins’ group they create.
– Exploiting this vulnerability allows ransomware gangs to escalate to full admin privileges on domain-joined hypervisors, steal sensitive data stored on the hosted VMs, move laterally through networks, and encrypt the ESXi hypervisor’s file system.
– Microsoft has identified at least three tactics used to exploit the vulnerability, and it has been exploited in the wild by ransomware operators, leading to ransomware deployments such as Black Basta and Akira.
– Ransomware groups have been increasingly targeting ESXi hypervisors, as bringing down ESXi VMs can cause major outages and disrupt business operations, severely limiting victims’ options to recover their data.
– The number of Microsoft Incident Response engagements involving the targeting and impacting of ESXi hypervisors has more than doubled in the last three years.
Please let me know if you need more detailed information or if there are specific action items to address based on these meeting notes.