CISA warns of VMware ESXi bug exploited in ransomware attacks

CISA has ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their servers against a VMware ESXi authentication bypass vulnerability exploited in ransomware attacks.

Broadcom subsidiary VMware fixed this flaw (CVE-2024-37085) discovered by Microsoft security researchers on June 25 with the release of ESXi 8.0 U3.

CVE-2024-37085 allows attackers to add a new user to the ‘ESX Admins’ group—not present by default but can be added after gaining high privileges on the ESXi hypervisor—which will automatically be assigned full administrative privileges.

Even though successful exploitation would require user interaction and high privileges to pull off, and VMware rated the vulnerability as medium-severity, Microsoft revealed on Monday week that several ransomware gangs are already exploiting it to escalate to full admin privileges on domain-joined hypervisors.

Once they gain admin permissions, they steal sensitive data from VMs, move laterally through victims’ networks, and then encrypt the ESXi hypervisor’s file system, causing outages and disrupting business operations.

So far, CVE-2024-37085 has been exploited by ransomware operators tracked as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest to deploy Akira and Black Basta ransomware.

Federal agencies have three weeks to secure vulnerable systems

Following Microsoft’s report, CISA has added the security vulnerability to its ‘Known Exploited Vulnerabilities’ catalog, serving as a warning that threat actors are leveraging it in attacks.

Federal Civilian Executive Branch Agencies (FCEB) agencies now have three weeks until August 20 to secure their systems against ongoing CVE-2024-37085 exploitation, according to the binding operational directive (BOD 22-01) issued in November 2021.

Although this directive only applies to federal agencies, the cybersecurity agency strongly urged all organizations to prioritize fixing the flaw and thwart ransomware attacks that could target their networks.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.

For years, ransomware operations have shifted their focus to targeting their victims’ ESXi virtual machines (VMs), particularly after the victims have started using them to store sensitive data and host critical applications.

However, until now, they’ve primarily used Linux lockers designed to encrypt VMs rather than exploiting specific security vulnerabilities in ESXi (such as CVE-2024-37085), even though doing so could provide a faster way to access victims’ hypervisors.