August 1, 2024 at 09:18AM Around 20,000 unpatched VMware ESXi servers, vulnerable to CVE-2024-37085 (CVSS 6.8), are accessible on the internet. It allows threat actors full access, with ransomware groups like Storm-0506 and Octo Tempest exploiting it. The flaw enables administrative control over hypervisors, risking file encryption, VM access, and lateral movement within networks. Urgent … Read more
July 30, 2024 at 04:12PM Ransomware groups are exploiting an authentication bypass bug (CVE-2024-37085) in VMware ESXi, giving them significant access and enabling rapid malware deployment. Broadcom has issued a fix. ESXi hypervisors inadvertently grant full administrative access to any AD domain group called “ESX Admins.” Hackers find hypervisors alluring due to their complexity and … Read more
July 29, 2024 at 01:12PM Microsoft alerted of ransomware gangs exploiting VMware ESXi authentication bypass vulnerability, allowing attackers to gain full admin privileges. This flaw, CVE-2024-37085, was discovered by Microsoft researchers and patched in ESXi 8.0 U3 last month. The vulnerability has been exploited in ransomware attacks by various groups, leading to data theft and … Read more
July 22, 2024 at 01:01PM Play ransomware, a new threat, has initiated targeted attacks on Linux devices, focusing on VMware ESXi virtual machines. This is a concerning development, expanding potential victims and ransom negotiation success. The gang’s tactics involve scanning and encrypting files, leading to significant disruptions in business operations and reduced data recovery options. … Read more
July 22, 2024 at 12:24AM A new Linux variant of the Play ransomware, known for double extortion tactics, has been discovered by Trend Micro researchers. This variant targets VMWare ESXi environments, expanding its potential victim pool. The ransomware has targeted industries such as manufacturing, IT, and retail, while collaborating with the services of Prolific Puma … Read more
July 16, 2024 at 05:27PM Microsoft’s Threat Intelligence Team warns of Octo Tempest, also known as Scattered Spider, adding RansomHub and Qilin to its attack arsenal. The threat actor uses sophisticated social engineering, identity compromises, and targets VMware ESXi servers. Notably, it is behind major ransomware attacks on Caesars Palace and MGM Entertainment. The group … Read more
July 15, 2024 at 11:26AM APT INC, formerly known as SEXi ransomware operation, has targeted various organizations using Babuk and LockBit 3 encryptors to attack VMware ESXi servers and Windows. The threat actors have gained attention for attacking IxMetro Powerhost and continue to operate with ransom demands ranging from tens of thousands to millions. Unfortunately, … Read more
June 20, 2024 at 01:49PM Threat actor UNC3886, suspected to be Chinese, uses open-source rootkits like ‘Reptile’ and ‘Medusa’ on VMware ESXi virtual machines to conduct credential theft, command execution, and lateral movement. Mandiant tracked UNC3886’s attacks on government organizations and revealed their recent use of rootkits, custom malware tools, and attacks targeting various industries … Read more
June 6, 2024 at 01:59PM The Mallox ransomware group has introduced a new Linux variant that targets VMware ESXi environments. This variant uses a custom shell to execute ransomware on virtualized systems with high-level user privileges. The group has targeted various sectors and is now active in Taiwan, India, Thailand, and South Korea. Organizations are … Read more
June 5, 2024 at 07:19PM A new Linux variant of TargetCompany ransomware targets VMware ESXi environments using a custom script to execute payloads, exfiltrate data, and drop a ransom note. Trend Micro reports the ransomware encrypts specific file extensions, attributes the attacks to an affiliate named “vampire,” and provides recommendations for defense. The operation’s shift … Read more