Ransomware attacks on VMware ESXi servers observed
Patch now! Ransomware attacks on VMware ESXi servers observed
Security researchers warn of ongoing attacks on systems with ESXi hypervisors. This is how ransomware Trojans get onto computers.
Attackers are currently targeting servers with the VMware ESXi hypervisor. If attacks are successful, they elevate themselves to admin status and install ransomware. Security updates are available.
Admin vulnerability
Security researchers from Microsoft warn of the attacks in a report. However, they do not specify the extent of the attacks. However, several ransomware groups such as Octo Tempet and Storm-0506, which install Trojans such as Akira and Black Basta, are involved. These encrypt data and demand a ransom.
The exploited vulnerability (CVE-2024-37085"medium") affects VMware ESXi and the developers claim to have solved the security problem in version ESXi80U3-24022510. As a prerequisite for an attack, attackers must have access to the Active Directory with an ESXi host. If this is the case, they can exploit the gap without further authentication and become the admin.
The attack
Microsoft states that it has documented three attack patterns. As ESXi authentication can be bypassed due to the vulnerability, attackers are currently creating the "ESX Admins" group and elevating themselves to admin status. This can be done using the following commands:
net group "ESX Admins" /domain /add
net group "ESX Admins" username /domain /add
Alternatively, attackers can rename an existing group to "ESX Admins". If admins revoke rights from a group, these rights are not immediately removed and attackers can still abuse them. However, according to Microsoft, this method has not yet been observed.
Protection against attacks
To protect themselves from attacks, admins must install the security update quickly. They should also restrict access as far as possible so that only selected users have access. In addition to strong passwords, multi-factor authentication (MFA) should also be used. Admins should also keep an eye on the logs at all times so that they can react quickly.