Ransomware Gangs Exploit VMware ESXi Authentication Bypass in Attacks

Microsoft has recently issued a warning about ransomware gangs exploiting a vulnerability in VMware ESXi’s authentication system. This flaw, identified as CVE-2024-37085, allows attackers to gain full administrative access to ESXi hypervisors, posing a significant threat to organizations using this technology.

The Vulnerability

The vulnerability lies in the way ESXi hypervisors handle authentication. Attackers can create a new user in an “ESX Admins” group, which automatically grants full administrative privileges. This flaw requires high privileges on the target device and user interaction, but once exploited, it allows attackers to control the hypervisor completely.

Exploitation by Ransomware Gangs

Several ransomware gangs, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, have been observed exploiting this vulnerability. These groups have used the flaw to deploy ransomware such as Akira and Black Basta, leading to significant disruptions for affected organizations.

Attack Methodology

The attackers typically gain initial access through methods like phishing or exploiting other vulnerabilities. Once inside the network, they use tools like Cobalt Strike and Pypykatz to steal credentials and move laterally. By exploiting the ESXi vulnerability, they can encrypt the file system of the hypervisor, affecting the hosted virtual machines and potentially exfiltrating data.

Impact on Organizations

The exploitation of this vulnerability can have severe consequences. ESXi hypervisors often host critical applications and data, so gaining control over them can lead to major outages and business disruptions. The attackers can encrypt files and backups stored on the hypervisor, severely limiting recovery options for the victims.

Mitigation and Protection

Microsoft has disclosed this vulnerability to VMware, which has released a security update to address the issue. Organizations using ESXi hypervisors are strongly advised to apply these updates promptly. Additionally, following best practices for network security, such as regular patching and monitoring for unusual activity, can help mitigate the risk of such attacks.

Conclusion

The exploitation of the VMware ESXi authentication bypass by ransomware gangs highlights the importance of robust security measures and timely updates. Organizations must remain vigilant and proactive in protecting their critical infrastructure from such sophisticated threats.

By understanding the nature of this vulnerability and taking appropriate actions, organizations can better defend against these malicious attacks and ensure the continuity of their operations.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it