The Information Highway

The Information Highway
Font size: +
  Print
2 minutes reading time (344 words)

VMware ESXi flaw exploited by ransomware group

178 Hits

Threat update

A VMware ESXi vulnerability, known as CVE-2024-37085, has been discovered and it is actively exploited by several ransomware groups. Review this Cybersecurity Threat Advisory to learn how to limit the impact of this flaw. 

Technical Detail and Additional Info

What is the threat?

CVE-2024-37085 is an Active Directory (AD) integration authentication bypass vulnerability that, when successfully exploited, gives an attacker full administrative access to the ESXi hypervisor by default without any further validation. It adds new users to the "ESX Admins" domain group. This group does not exist by default but becomes available once you gain higher privileges on the ESXi hypervisor, which then automatically grants full privileges to users added to it, leaving businesses exposed. 

Why is it noteworthy?

CVE-2024-37085 was discovered by multiple hacker groups and are using three different methods to exploit the flaw. The three different methods are:

  • Adding "ESX Admins" to the domain and adding a user to it
  • Renaming any group in the domain to "ESX Admins" and then adding a user either new or existing
  • ESXi hypervisor privilege refresh so that full admin privilege is not immediately removed in order for the threat actors to abuse it

What is the exposure or risk?

CVE-2024-37085 affects the following products and versions:

  • VMware ESXi 8.0
  • VMware ESXi 7.0
  • VMware Cloud Foundation 5.x
  • VMware Cloud Foundation 4.x


Upon gaining access, ransomware groups can steal sensitive data, move through victims' networks, and encrypt the ESXi hypervisor's file system, leading to disruption of business operations. 

What are the recommendations?

 LBT Technology Group recommends the following actions to limit the impact of CVE-2024-37085:

  • Apply available updates to the affected device at your earliest availability
  • Enforce password cyber hygiene by protecting highly privileged accounts with multifactor authentication (MFA) or isolate privileged accounts to prevent access
  • Ensure affected ESXi servers are not exposed to public internet

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
ransomware groups CVE -2024-37085 VMware ESXi vulnerability block ​ move
How company size affects the email threats targeti...
Fake IT support sites push malicious PowerShell sc...

About the author

LBT Technology Group, LLC.

LBT Technology Group, LLC.

As we navigate our ever-evolving cyber society, LBT Technology Group believes providing comprehensive IT services to others is essential. As a Managed IT Services Provider (MSP), we are positioned to eliminate your pain points by optimizing your technology, mitigating your cyber security risk footprint, and improving your cyber resilence. The focus we place on reducing the presistent cyber security risks to the confidentiality, integrity, and availability of your information systems and our proficiency in restoring IT services in the event of a cyber attack or technology outage separates us from our competitors--WE SIMPLIFY YOUR IT EQUATION.
Author's recent posts
More posts from author

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 19 September 2024

Captcha Image