60 views 26 secs 0 comments

Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability

An article in The Register begins with a simple question:

Do you have your VMware ESXi hypervisor joined to Active Directory?

If you don’t know what The Register is even talking about, pass this article to your IT department directly. The Register explains the significance of a recently patched vulnerability, and why you should patch immediately if you have not already patched:

CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world’s most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.

The vulnerability allows attackers who have the necessary privileges to create AD groups – which isn’t necessarily an AD admin – to gain full control of an ESXi hypervisor.

This is bad for obvious reasons. Having unfettered access to all running VMs and critical hosted servers offers attackers the ability to steal data, move laterally across the victim’s network, or just cause chaos by ending processes and encrypting the file system.

Read more at The Register.