CISA Issues Warning Over VMware ESXi Bug Exploited in Ransomware Attacks

July 30, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has instructed Federal Civilian Executive Branch (FCEB) agencies to safeguard their servers from a VMware ESXi authentication bypass vulnerability, known as CVE-2024-37085, that is being exploited in ransomware attacks.

The flaw was identified and rectified by Microsoft security researchers on June 25, following the release of ESXi 8.0 U3 by VMware, a subsidiary of Broadcom. The vulnerability allows attackers to add a new user to the 'ESX Admins' group, which is automatically assigned full administrative privileges.

Despite the fact that successful exploitation necessitates user interaction and high privileges, and the vulnerability was rated as medium-severity by VMware, Microsoft disclosed that several ransomware groups are actively exploiting it to gain full admin privileges on domain-joined hypervisors.

Once admin permissions are acquired, the attackers pilfer sensitive data from virtual machines (VMs), navigate laterally through the victims' networks, and encrypt the ESXi hypervisor's file system, leading to outages and business operation disruptions.

The CVE-2024-37085 vulnerability has been taken advantage of by ransomware operators identified as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest to deploy Akira and Black Basta ransomware.

In response to Microsoft's report, CISA has added the security vulnerability to its 'Known Exploited Vulnerabilities' catalog, indicating that it is being used in attacks. FCEB agencies now have until August 20 to secure their systems against ongoing exploitation of CVE-2024-37085, as per the binding operational directive (BOD 22-01) issued in November 2021.

While the directive only applies to federal agencies, CISA strongly recommends all organizations to prioritize addressing the flaw to prevent potential ransomware attacks targeting their networks. 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,' CISA warned.

Over the years, ransomware operations have shifted their focus to targeting victims' ESXi virtual machines (VMs), particularly as victims began using them to store sensitive data and host critical applications. However, they have primarily used Linux lockers designed to encrypt VMs rather than exploiting specific security vulnerabilities in ESXi (such as CVE-2024-37085), even though doing so could provide a faster way to access victims' hypervisors.

Related News

• Black Basta Ransomware Group Adapts with Custom Tools and Malware
• Ransomware Gangs Actively Exploiting VMware ESXi Auth Bypass Vulnerability: Microsoft Warns

Latest News

• CISA Includes Microsoft COM for Windows Vulnerability in Known Exploited Vulnerabilities Catalog
• Critical Security Flaw in Rockwell Automation's ControlLogix 1756 PLCs Threatens Industrial Manufacturing
• Google Patches Kernel Zero-Day Vulnerability in Android, Amidst Targeted Exploits
• Critical Security Bypass Vulnerability Found in Rockwell Automation ControlLogix 1756 Devices
• StormBamboo APT Group Breaches ISP to Deliver Malware