Experts warn that ransomware gangs are actively exploiting a vulnerability in VMware ESXi hypervisors to deploy encryptors and cause chaos among victim organizations.
In a blog post about the issue, Microsoft claimed that VMware’s ESXi was vulnerable to an authentication bypass flaw that could allow ransomware operators to gain full administrative privileges on domain-joined hypervisors. The vulnerability is tracked as CVE-2024-37085 and has a severity score of 6.8 (medium), according to the NVD.
The vulnerability “affects a domain group whose members are granted full administrative privileges on the ESXi hypervisor by default without proper validation,” Microsoft said.
Storm-0506 and others
The Redmond giant informed VMware of its findings, and the company issued a patch on June 25. BleepingComputer reported.
Because ransomware attacks have been found to be actively exploiting the vulnerability to install encryptors, Microsoft is urging all users to apply the patch immediately.
The company added in its report that it had recently seen criminal gang Storm-0506 deploy a variant of the Black Basta ransomware against an engineering firm in North America, and “during this attack, the threat actor leveraged the CVE-2024-37085 vulnerability to gain escalated privileges on the organization’s ESXi hypervisors.”
Storm-0506 is a threat actor that has also deployed Black Basta ransomware in the past. Black Basta is one of the most proficient ransomware-as-a-service actors out there, likely spun out of the defunct Conti organization. But Storm-0506 isn’t the only threat actor Microsoft mentions in its report – Storm-1175, Octo Tempest, Manatee Tempest are all said to sell and support ESXi encryptors, including Akira, Babuk, Lockbit, and Kuiper.
“The number of Microsoft Incident Response (Microsoft IR) deployments that targeted and impacted ESXi hypervisors has more than doubled over the past three years,” the company concluded.
VMware ESXi is a hypervisor that enables the creation and management of multiple virtual machines on a single physical server, providing a platform for virtualization and efficient resource utilization. It is quite popular in the enterprise, which also made it a prime target for cybercriminals.