Saturday, December 14, 2024
HomeCVE/vulnerabilityHackers Exploiting ESXi Hypervisor Auth Bypass Flaw For Ransomware Attacks

Hackers Exploiting ESXi Hypervisor Auth Bypass Flaw For Ransomware Attacks

Published on

SIEM as a Service

Hackers prefer ransomware attacks primarily because they offer the highest chance of financial gain. By locking victims’ information systems and asking for payment to release them, ransomware attacks lock victims’ information systems and demand payment to unlock them.

Considering such a high level of risk, victims are pushed to make ransom payments as fast as possible to return their computers to operation quickly, consequently reducing business downtime. Together, these things make them an attractive and successful approach for threat actors.

Microsoft cybersecurity researchers recently discovered that hackers have been actively exploiting the ESXi Hypervisor auth bypass flaw to launch ransomware attacks.

- Advertisement - SIEM as a Service

Hackers Exploiting ESXi Hypervisor

The security flaw in the VMware ESXi hypervisors has been tracked as “CVE-2024-37085,” which Storm-0506 and Octo Tempest ransomware groups exploited.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This flaw enables hackers to gain complete control by manipulating a domain group called “ESX Admins”. Hackers can add or rename this group while bypassing proper checks.

Once attackers exploit the above vulnerability, they are able to hijack virtual machines’ file systems, encrypt them, steal data from these machines, and move within networks laterally.

This vulnerability affects domain-joined ESXi servers, potentially compromising entire virtualized infrastructures.

VMware has released a patch for it, and administrators are strongly recommended to apply it as soon as possible and review their extensive remediation and prevention guidance.

This will ensure effective protection against such advanced malware.

Ransomware actors have increasingly targeted the ESXi hypervisors over the past year, taking advantage of their lack of security visibility and capacity for mass encryption.

In the last three years, Microsoft has witnessed a doubling of ESXi-related incidents. In one case, Storm-0506 used Black Basta ransomware against a North American engineering firm.

Storm-0506 attack chain (Source – Microsoft)

The attack chain exploited CVE-2024-37085 on ESXi hypervisors, coupled with initial Qakbot infection and Windows CLFS vulnerability (CVE-2023-28252) exploitation. 

Threat actors used various tools like Cobalt Strike, Pypykatz, and SystemBC to steal credentials, move laterally, and maintain persistence.

Given the name “ESX Admins,” they did this in order to gain higher privileges, consequently, it led to the encryption of the ESXi file system and disruption of VMs on those systems.

While successful on ESXi systems, but some non-ESXi devices were protected from encryption by Microsoft Defender Antivirus and Defender for Endpoint’s automatic attack disruption capabilities.

This shows how essential comprehensive security measures are.

Mitigations

Here below we have mentioned all the mitigations:-

  • Install software updates
  • Credential hygiene
  • Improve critical assets posture
  • Identify vulnerable assets

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...