Summarize

Simplifying... Inshort

A critical flaw in VMware's ESXi hypervisor is being exploited by hackers to gain full control over servers, enabling them to encrypt files and access virtual machines.
Microsoft's Threat Intelligence team has discovered this technique being used by ransomware attackers, including the Storm-0506 group, who are increasingly targeting ESXi hypervisors.
The team also observed an attack where the group used a Windows vulnerability to elevate their privileges and deploy the Black Basta ransomware.

Was a long read? Making it simpler...

Next Article

Microsoft has issued an urgent alert to users of VMware's ESXi hypervisor

Critical VMware flaw lets hackers take over servers

By Mudit Dube

Jul 30, 2024

09:58 am

What's the story

Microsoft has issued an urgent alert to users of VMware's ESXi hypervisor, advising immediate action against ongoing ransomware attacks. The attackers are exploiting a vulnerability, identified as CVE-2024-37085, which grants them full administrative control over the servers running the software. This flaw has been manipulated for months by hackers linked with various ransomware syndicates such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest.

Cyber threat

Attackers can even access hosted virtual machines

The exploited vulnerability allows hackers, who have already obtained limited system rights on a targeted server, to escalate their access to full administrative control of the ESXi hypervisor. Once in control, they can encrypt the file system and disable the servers they host. Additionally, these attackers can access hosted virtual machines to either extract data or expand their presence within a network.

Security breach

Microsoft discovers new ransomware attack technique

Microsoft's Threat Intelligence team has identified a new post-compromise technique used by ransomware attackers like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous incidents. In several instances, this method has led to the deployment of Akira and Black Basta ransomware. The team discovered that escalating hypervisor privileges on ESXi to unrestricted admin was as simple as creating a new domain group named "ESX Admins."

Cyber attacks

ESXi hypervisors increasingly targeted by ransomware actors

Over the past year, ransomware actors have increasingly targeted ESXi hypervisors in attacks that allow them to mass encrypt data with just a few clicks. By encrypting the hypervisor file system, all virtual machines hosted on it are also encrypted. Microsoft's research team noted that many security products have limited visibility into and little protection of the ESXi hypervisor.

Attack analysis

Microsoft details ransomware attack by Storm-0506 group

Microsoft researchers detailed an attack they observed by the Storm-0506 threat group, which installed the Black Basta ransomware. The threat actor initially gained access to an organization via a Qakbot infection, then exploited a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. Subsequently, they used Cobalt Strike and Pypykatz to steal two domain administrators' credentials and moved laterally to four domain controllers.