Critical VMware flaw lets hackers take over servers
Microsoft has issued an urgent alert to users of VMware's ESXi hypervisor, advising immediate action against ongoing ransomware attacks. The attackers are exploiting a vulnerability, identified as CVE-2024-37085, which grants them full administrative control over the servers running the software. This flaw has been manipulated for months by hackers linked with various ransomware syndicates such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest.
Attackers can even access hosted virtual machines
The exploited vulnerability allows hackers, who have already obtained limited system rights on a targeted server, to escalate their access to full administrative control of the ESXi hypervisor. Once in control, they can encrypt the file system and disable the servers they host. Additionally, these attackers can access hosted virtual machines to either extract data or expand their presence within a network.
Microsoft discovers new ransomware attack technique
Microsoft's Threat Intelligence team has identified a new post-compromise technique used by ransomware attackers like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous incidents. In several instances, this method has led to the deployment of Akira and Black Basta ransomware. The team discovered that escalating hypervisor privileges on ESXi to unrestricted admin was as simple as creating a new domain group named "ESX Admins."
ESXi hypervisors increasingly targeted by ransomware actors
Over the past year, ransomware actors have increasingly targeted ESXi hypervisors in attacks that allow them to mass encrypt data with just a few clicks. By encrypting the hypervisor file system, all virtual machines hosted on it are also encrypted. Microsoft's research team noted that many security products have limited visibility into and little protection of the ESXi hypervisor.
Microsoft details ransomware attack by Storm-0506 group
Microsoft researchers detailed an attack they observed by the Storm-0506 threat group, which installed the Black Basta ransomware. The threat actor initially gained access to an organization via a Qakbot infection, then exploited a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. Subsequently, they used Cobalt Strike and Pypykatz to steal two domain administrators' credentials and moved laterally to four domain controllers.