Experts have warned that ransomware gangs are actively exploiting a vulnerability in VMware ESXi hypervisors to deploy encryptors and wreak havoc on victim organisations.
In a blog post addressing the issue, Microsoft stated that VMware ESXi was vulnerable to an authentication bypass flaw that allowed ransomware operators to gain full administrative permissions on domain-joined hypervisors. The vulnerability is known as CVE-2024-37085 and has a severity score of 6.8 (medium), according to Microsoft. Night vision device.
The vulnerability “affects a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft explained.
Storm-0506 and others
The Redmond giant notified VMware of its findings and the company came back with a patch on June 25. Computer beeping reported.
Since ransomware actors were observed actively exploiting the vulnerability to deploy encryptors, Microsoft urges all users to apply the patch immediately.
The company added in its report that it had seen the Storm-0506 criminal gang deploy a variant of the Black Basta ransomware against an engineering firm in North America recently, and “during this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors within the organization.”
Storm-0506 is a threat actor that was also spotted deploying the Black Basta ransomware in the past. Black Basta is one of the most proficient ransomware-as-a-service actors out there, likely emerging from the defunct Conti organization. But Storm-0506 isn’t the only threat actor Microsoft mentions in its report: Storm-1175, Octo Tempest, and Manatee Tempest are said to have sold and supported ESXi encryptors including Akira, Babuk, Lockbit, and Kuiper.
“The number of Microsoft Incident Response (Microsoft IR) engagements involving and impacting attacks on ESXi hypervisors has doubled over the past three years,” the company concluded.
VMware ESXi is a hypervisor that allows the creation and management of multiple virtual machines on a single physical server, providing a platform for virtualization and efficient use of resources. It is quite popular in the enterprise domain, which also made it a major target for cybercriminals.