Ransomware gangs are actively exploiting a vulnerability in VMware ESXi hypervisors to deploy encryptors and wreak havoc among victim organizations, experts have warned.
In a blog post covering the issue, Microsoft claimed VMware’s ESXi was vulnerable to an authentication bypass flaw that allowed ransomware operators to obtain full administrative permissions on domain-joined hypervisors. The vulnerability is tracked as CVE-2024-37085, and has a severity score of 6.8 (medium), according to the NVD.
The vulnerability “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft explained.
Storm-0506 and others
The Redmond giant notified VMware of its findings, and the company came back with a patch on June 25, BleepingComputer reported.
Since ransomware actors were observed actively exploiting the vulnerability to deploy encryptors, Microsoft urges all users to apply the patch immediately.
The company added in its report it had seen the Storm-0506 criminal gang deploying a variant of the Black Basta ransomware against an engineering firm in North America recently, and “during this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.”
Storm-0506 is a threat actor that was seen deploying Black Basta ransomware in the past, as well. Black Basta is one of the most proficient ransomware-as-a-service actors out there, most likely spawned from the defunct Conti organization. But Storm-0506 is not the only threat actor Microsoft mentions in its report – Storm-1175, Octo Tempest, Manatee Tempest, were all said to be selling and supporting ESXi encryptors, including Akira, Babuk, Lockbit, and Kuiper.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” the company concluded.
VMware ESXi is a hypervisor that enables the creation and management of multiple virtual machines on a single physical server, providing a platform for virtualization and efficient resource utilization. It is quite popular in the enterprise, which also made it a major target for cybercriminals.
