Microsoft warns ransomware gangs are hitting VMware flaw that lets them become admins

A patch is available, so apply immediately, Microsoft says

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Ransomware gangs are actively exploiting a vulnerability in VMware ESXi hypervisors to deploy encryptors and wreak havoc among victim organizations, experts have warned.

In ablog postcovering the issue,Microsoftclaimed VMware’s ESXi was vulnerable to an authentication bypass flaw that allowedransomwareoperators to obtain full administrative permissions on domain-joined hypervisors. The vulnerability is tracked as CVE-2024-37085, and has a severity score of 6.8 (medium), according to theNVD.

The vulnerability “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft explained.

Storm-0506 and others

The Redmond giant notified VMware of its findings, and the company came back with a patch on June 25,BleepingComputerreported.

Since ransomware actors were observed actively exploiting the vulnerability to deploy encryptors, Microsoft urges all users to apply the patch immediately.

The company added in its report it had seen the Storm-0506 criminal gang deploying a variant of the Black Basta ransomware against an engineering firm in North America recently, and “during this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.”

Storm-0506 is a threat actor that was seen deploying Black Basta ransomware in the past, as well. Black Basta is one of the most proficient ransomware-as-a-service actors out there, most likely spawned from the defunct Conti organization. But Storm-0506 is not the only threat actor Microsoft mentions in its report - Storm-1175, Octo Tempest, Manatee Tempest, were all said to be selling and supporting ESXi encryptors, including Akira, Babuk, Lockbit, and Kuiper.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” the company concluded.

VMware ESXi is a hypervisor that enables the creation and management of multiple virtual machines on a single physical server, providing a platform for virtualization and efficient resource utilization. It is quite popular in the enterprise, which also made it a major target for cybercriminals.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Huge Black Friday Samsung sale: save up to $1,900 on QLED, OLED TVs, and more