Hackers exploit VMware vulnerability that gives them hypervisor admin
arstechnica
|
Contributed by: Drex DeFord
Summary
Microsoft has urged VMware ESXi hypervisor users to address the CVE-2024-37085 vulnerability, which is exploited by ransomware groups to gain full administrative control over servers. Threat groups including Storm-0506 and Octo Tempest have used this flaw in post-compromise attacks to encrypt file systems and disable servers. The vulnerability allows any domain group named "ESX Admins" to automatically receive admin privileges, a flaw recently patched by VMware. Attackers have leveraged this in escalating privileges and deploying ransomware like Black Basta. Administrators are advised to prioritize patching this vulnerability and monitoring for suspicious domain group modifications.
