Cybercriminals are leveraging a vulnerability in VMware’s ESXi hypervisor, leading to significant security concerns. Microsoft researchers revealed that the flaw allows attackers to gain full administrative permissions on domain-joined ESXi hypervisors, facilitating ransomware and extortion activities. This exploitation has raised alarms within the cybersecurity community.
VMware ESXi Vulnerability Details
The vulnerability, identified as CVE-2024-37085, permits attackers to add users to an attacker-created admins group, granting extensive administrative access. This technique, which some experts argue is a well-known feature rather than a bug, has been documented in VMware vSphere for over a decade. However, its abuse by cybercriminals has led to new concerns. The vulnerability impacts VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation.
Experts from Microsoft and other cybersecurity entities note that the exploitation allows threat actors to encrypt the hypervisor’s file system, affecting the functionality of hosted servers. Additionally, attackers can access hosted virtual machines, exfiltrate data, and move laterally within networks. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerability Catalog.
Cybercriminal Operations and Ransomware Campaigns
Microsoft’s researchers highlighted that the ESXi hypervisor is a popular target for threat actors due to its prevalence in corporate environments and limited security visibility. Various cybercriminal groups, including Black Basta, Babuk, Lockbit, and Kuiper, have used ESXi encryptors in their ransomware campaigns. These incidents have notably increased in recent years, with ransomware operators like Storm-0506 exploiting the vulnerability in attacks.
Christian Mohn, a chief technologist at Proact IT Norge AS, has described the CVE as a “feature” rather than an exploit, expressing relief that VMware has decided to remove the feature due to its minimal use and potential for misconfiguration. Broadcom, VMware’s parent company, did not provide comments on the issue. Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, emphasized the importance of addressing this vulnerability to mitigate ransomware risks.
VMware ESXi has been a frequent target for cybercriminals due to its widespread adoption in corporate settings. In the past few years, numerous ransomware variants have specifically targeted ESXi hypervisors, leading to increased encryption of virtual machines. The recent rise in incidents involving ESXi encryptors underscores the need for enhanced security measures within corporate IT infrastructures.
Incidents involving groups like Octo Tempest, also known as Scattered Spider, highlight the ongoing threat posed by sophisticated cybercriminals. This group has executed high-profile attacks on major international targets, including MGM Resorts and Clorox. The FBI has recognized Scattered Spider as a significant cybersecurity threat, alongside nation-state actors from China and Russia.
Mitigating the risks associated with the CVE-2024-37085 vulnerability requires immediate patching and adherence to security best practices. Organizations must stay informed about emerging threats and ensure robust defenses against ransomware and other cyber threats.
