Less than a week after VMware shipped patches for a critical vulnerability in ESXi hypervisors, Microsoft’s threat intel team says the flaw is being exploited by ransomware groups to gain full administrative access on domain-joined systems.
The flaw, tagged as CVE-2024-37085 with a CVSS severity score of 6.8, has already been abused by multiple known ransomware groups to deploy data-extortion malware on enterprise networks, according to a new warning from Redmond’s threat hunting teams.
Strangely, Broadcom-owned VMware did not mention in-the-wild exploitation when it released patches and workarounds last week alongside warnings that it could be used by hackers to gain unauthorized access and control over ESXi hosts.
“VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range,” VMware said.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” the company added.
The company rolled out patches for ESXi 8.0 and VMware Cloud Foundation 5.x, while no patches are planned for ESXi 7.0 and VMware Cloud Foundation 4.x.
Now comes word from Microsoft that known cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest have already exploited this VMware ESXi vulnerability to deploy ransomware.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” Microsoft said.
In one documented case, Microsoft said an engineering firm in North America was affected by a Black Basta ransomware deployment that included the use of the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it…[This] attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” the company warned.
VMware ESXi, formerly known as ES, is a bare metal hypervisor that installs on servers and partitions it into multiple virtual machines.
Related: VMware Patches Critical ESXi Sandbox Escape Flaws
Related: Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
Related: Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
Related: RTM Locker Ransomware Variant Targeting ESXi Servers
