20,275 VMware ESXi Vulnerable Instances Exposed, Microsoft Warns of Massive Exploitation
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Microsoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited.
According to the Shadowserver Foundation, the vulnerability, identified as CVE-2024-37085, exposed 20,275 instances as of July 30, 2024.
We have started sharing exposed VMware ESXi vulnerable to CVE-2024-37085 (authentication bypass). While rated only CVSS 6.8 by Broadcom, this vuln has been reported by Microsoft as exploited in the wild by ransomware operators.
We see 20 275 instances vulnerable on 2024-07-30. pic.twitter.com/wTkqDSLQ38
— The Shadowserver Foundation (@Shadowserver) July 31, 2024
The CVE-2024-37085 vulnerability is an authentication bypass flaw with a CVSS score of 6.8. It specifically affects domain-joined ESXi hypervisors, allowing attackers with sufficient Active Directory (AD) permissions to gain full administrative control over the hypervisor.
This control can lead to severe consequences, including the encryption of the hypervisor’s file system, disruption of hosted virtual machines (VMs), data exfiltration, and lateral movement within the network.
Exploitation in the Wild
Microsoft researchers have observed multiple ransomware groups exploiting this vulnerability. These groups include Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. The exploitation typically involves creating a domain group named “ESX Admins” and adding users to it, thereby granting them full administrative privileges on the ESXi hypervisor.
One notable attack involved the deployment of Black Basta ransomware by the Storm-0506 group. The attackers gained initial access via a Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges.
They then used tools like Cobalt Strike and Pypykatz to steal credentials and move laterally within the network, ultimately creating the “ESX Admins” group to exploit the ESXi vulnerability.
The exploitation of CVE-2024-37085 has led to significant disruptions in affected organizations. Ransomware operators can encrypt the hypervisor’s file system by gaining full administrative access to ESXi hypervisors; rendering hosted VMs non-functional. This not only impacts the availability of critical services but also poses a risk of data loss and unauthorized access to sensitive information.
Mitigation and Recommendations
Broadcom has released security updates to address CVE-2024-37085. Administrators are strongly advised to apply these updates immediately to protect their systems. For versions of ESXi that do not receive patches, VMware recommends changing specific advanced settings to mitigate the vulnerability:
Additionally, Microsoft recommends enforcing multifactor authentication (MFA) on all accounts, isolating privileged accounts from productivity accounts, and improving the security posture of critical assets like ESXi hypervisors and vCenters.
Organizations using VMware ESXi hypervisors should take immediate action to apply the recommended patches and follow best practices to mitigate the risk of ransomware attacks.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
20,275 VMware ESXi Vulnerable Instances Exposed, Microsoft Warns of Massive Exploitation
Author: Guru BaranMicrosoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited.
According to the Shadowserver Foundation, the vulnerability, identified as CVE-2024-37085, exposed 20,275 instances as of July 30, 2024.
We have started sharing exposed VMware ESXi vulnerable to CVE-2024-37085 (authentication bypass). While rated only CVSS 6.8 by Broadcom, this vuln has been reported by Microsoft as exploited in the wild by ransomware operators.
We see 20 275 instances vulnerable on 2024-07-30. pic.twitter.com/wTkqDSLQ38
— The Shadowserver Foundation (@Shadowserver) July 31, 2024
The CVE-2024-37085 vulnerability is an authentication bypass flaw with a CVSS score of 6.8. It specifically affects domain-joined ESXi hypervisors, allowing attackers with sufficient Active Directory (AD) permissions to gain full administrative control over the hypervisor.
This control can lead to severe consequences, including the encryption of the hypervisor’s file system, disruption of hosted virtual machines (VMs), data exfiltration, and lateral movement within the network.
Exploitation in the Wild
Microsoft researchers have observed multiple ransomware groups exploiting this vulnerability. These groups include Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. The exploitation typically involves creating a domain group named “ESX Admins” and adding users to it, thereby granting them full administrative privileges on the ESXi hypervisor.
One notable attack involved the deployment of Black Basta ransomware by the Storm-0506 group. The attackers gained initial access via a Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges.
They then used tools like Cobalt Strike and Pypykatz to steal credentials and move laterally within the network, ultimately creating the “ESX Admins” group to exploit the ESXi vulnerability.
The exploitation of CVE-2024-37085 has led to significant disruptions in affected organizations. Ransomware operators can encrypt the hypervisor’s file system by gaining full administrative access to ESXi hypervisors; rendering hosted VMs non-functional. This not only impacts the availability of critical services but also poses a risk of data loss and unauthorized access to sensitive information.
Mitigation and Recommendations
Broadcom has released security updates to address CVE-2024-37085. Administrators are strongly advised to apply these updates immediately to protect their systems. For versions of ESXi that do not receive patches, VMware recommends changing specific advanced settings to mitigate the vulnerability:
- Set Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd to false.
- Adjust Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90.
- Change Config.HostAgent.plugins.hostsvc.esxAdminsGroup to an empty string[3][7].
Additionally, Microsoft recommends enforcing multifactor authentication (MFA) on all accounts, isolating privileged accounts from productivity accounts, and improving the security posture of critical assets like ESXi hypervisors and vCenters.
Organizations using VMware ESXi hypervisors should take immediate action to apply the recommended patches and follow best practices to mitigate the risk of ransomware attacks.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
