Skip to content

VMware Admin flaw gives hackers privileged access

Ransomware Threat Exploiting VMware ESXi Vulnerability

Summary:

Microsoft warns that ransomware gangs are exploiting VMware flaw that lets them become admins and then deploy ransomware.

  • Vulnerability Details: The vulnerability, identified as CVE-2024-37085, affects VMware ESXi hypervisors. It allows attackers to add a new user to the "ESX Admins" group, which grants full administrative privileges. This flaw was fixed in the ESXi 8.0 U3 update released on June 25, 2024.
  • Exploitation in the Wild: Several ransomware gangs, including those known as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, have been exploiting this vulnerability to deploy ransomware like Akira and Black Basta. The exploitation allows attackers to steal sensitive data, move laterally across networks, and encrypt the ESXi hypervisor's file system, causing major disruptions.
  • Ransomware Impact: These attacks have led to significant outages and disruptions, particularly targeting critical applications and data hosted on ESXi virtual machines. The ransomware groups are focusing on ESXi VMs due to their critical importance to business operations.
  • Federal Response: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for Federal Civilian Executive Branch (FCEB) agencies to secure their systems against this vulnerability by August 20, 2024. CISA has also urged all organizations to prioritize fixing this flaw to prevent potential ransomware attacks.
  • The Play ransomware group has started using an ESXi Linux locker for attacks, indicating a broader trend of ransomware operations targeting ESXi environments.

How we prevent this

How White Cloud Security Trust Lockdown prevents such attacks.

White Cloud Security's Trust Lockdown solution is uniquely positioned to prevent such ransomware attacks, even if they involve privilege escalation vulnerabilities like CVE-2024-37085. Trust Lockdown implements a Zero-Trust App Security Model that uses 6-Factor Authentication to uniquely identify and allow only pre-approved software to run. This includes:

What we do different

  1. Default-Deny Approach

    All applications are denied by default unless explicitly trusted and approved by administrators.

  2. 6-Factor Authentication

    Uses SHA-1, SHA-256, SHA-512, MD5, CRC32, and the file's length to verify software integrity and authenticity.

  3. Strict Administrative Controls

    Even users with administrative privileges cannot run unauthorized applications, including ransomware or other malicious software.

Only Authorised Apps Run

By leveraging these security measures, Trust Lockdown ensures that only authorized and vetted software can execute, thereby preventing ransomware gangs from exploiting vulnerabilities to gain administrative access and deploy malware.

References

For further reading, you can check the original reports here and here.