Microsoft has revealed that several prominent ransomware groups have been exploiting a zero-day vulnerability in VMware’s ESXi hypervisor, identified as CVE-2024-37085.
This flaw allows attackers to gain unauthorized access and control over virtual machines by creating a malicious user group called “ESX Admins” to obtain full administrative privileges. The vulnerability has been actively abused by groups linked to ransomware strains such as BlackBasta, Medusa, Akira, and Scattered Spider.
The flaw was discovered during an investigation of a BlackBasta ransomware attack on a North American engineering firm. Attackers initially infiltrated the company’s network using Qakbot malware and then exploited the ESXi flaw to gain control over the firm’s systems, leading to widespread encryption and data theft.
Although VMware’s parent company Broadcom has released a patch for this vulnerability, security researchers have criticized its “moderate” severity rating, given its active exploitation by ransomware groups. Microsoft urges affected organizations to promptly install the patch and examine their systems for the “ESX Admins” group to identify potential breaches.
The origin of this zero-day exploit remains unknown, but Microsoft speculates that it may have been purchased from hackers for significant sums.