Multiple ransomware groups have been exploiting a vulnerability in VMware ESXi hypervisors to rapidly deploy malware across virtualized environments. The bug, known as CVE-2024-37085, has been classified by VMware as a “medium” severity issue, scoring 6.8 out of 10 on the CVSS scale. This rating is attributed to the fact that attackers must already have permissions in a target’s Active Directory (AD) to leverage the vulnerability.
Despite the relatively moderate severity score, the impact of CVE-2024-37085 can be quite significant for organizations. Once attackers have gained access to AD, they can easily escalate their privileges within ESXi hypervisors without the need for complex technical maneuvers. This elevated level of access opens the door to various malicious activities, including the deployment of ransomware, data theft, lateral movement within the network, and more. Notable ransomware groups such as Black Basta, Storm-1175, Manatee Tempest (affiliated with Evil Corp), and Octo Tempest (also known as Scattered Spider) have already capitalized on this vulnerability to launch ransomware campaigns like Black Basta and Akira.
Broadcom has released a patch to address the vulnerability, which can be found on its website for users to download and apply to their systems.
The flaw in ESXi hypervisors that CVE-2024-37085 exploits stems from organizations configuring their systems to utilize AD for user management. By default, ESXi hypervisors grant full administrative privileges to any member of an AD domain group named “ESX Admins.” This oversight allows attackers with sufficient AD privileges to easily gain control of ESXi hypervisors by creating or modifying the “ESX Admins” group within the targeted domain.
Security experts have warned about the increasing threat of ransomware attacks targeting hypervisors and virtual machines (VMs) as businesses embrace digital transformation and adopt hybrid cloud and virtualized on-premise environments. Jason Soroko, senior vice president of product at Sectigo, highlights the attractiveness of hypervisors to hackers due to their ability to run multiple VMs simultaneously, providing a widespread platform for ransomware distribution with access to critical business services and data.
Microsoft has noted the challenges in securing hypervisors, citing limited visibility and protection from traditional security tools due to their isolation, complexity, and specific expertise required for safeguarding these systems. Soroko emphasizes the importance of maintaining up-to-date patches and implementing robust cyber hygiene practices to mitigate the risk posed by ransomware actors targeting hypervisors.
As cyber threats continue to evolve, organizations must remain vigilant in securing their virtualized environments to prevent malicious actors from exploiting vulnerabilities like CVE-2024-37085. By staying informed of emerging threats and bolstering their cybersecurity defenses, businesses can protect their critical assets and networks from ransomware attacks and other malicious activities.