Ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability in attacks, warned Microsoft.
While the security advisory for CVE-2024-37085 provided a moderate severity rating, a CVSSv3 score of 6.8 and Tenable Vulnerability Prioritization Rating of medium, successful exploitation can be catastrophic for impacted organisations.
Microsoft’s analysis of compromised hosts provided valuable insights into the variety of methods that can be deployed to compromise ESXi hosts. All new and existing attack methods appear relatively simple and straightforward to exploit provided conditions exist that would allow for exploitation in the first place. While the complexity is low, an attacker first needs elevated privileges in order to modify the active directory (AD) configuration on the affected host. An attacker could take complete control of an ESXi host and access the contents of any underlying virtual machines (VMs).
Scott Caveza, Staff Research Engineer at Tenable said, “Several ransomware groups have targeted virtual machines as part of their attack chains, which can have a crippling effect on an impacted organization. These financially motivated groups are quick to encrypt or lock as many hosts as possible, maximising the impact to a victim organisation in hopes of a handsome ransom payment. To deploy ransomware and exfiltrate data, they rely heavily on phishing, credential theft, as well as exploitation of known and exploitable vulnerabilities left unpatched by unsuspecting organizations.
He further added, This provides a large attack surface, however, it’s important to note that exploitation is very dependent on the host having been configured to use AD for user management. In addition, an attacker would also need privileged access to the AD environment in order to successfully exploit this vulnerability. Despite this significant barrier to entry, we cannot underestimate ransomware groups’ abilities and determination to escalate privileges and advance their attack path once they obtain initial access. While a medium severity vulnerability may be a lower priority for patching, this is another example of how attackers will seek out and exploit any unpatched vulnerability they can, often chaining together multiple vulnerabilities in their quest for complete takeover of a breached network”
