All these days we have seen hackers targeting Windows and Linux machines. But now they seem to be after the encryption of mass virtual machines by exploiting a vulnerability in VMware ESXi software. Hackers are now exploiting this flaw to encrypt virtual machines on a massive scale.
The vulnerability, identified as CVE-2024-37085, has been rated 7 out of 10 on the severity scale. It serves as a gateway for attackers to gain access to Active Directory and subsequently encrypt virtual machines extensively. This has led to a surge in ransomware attacks and large-scale data exfiltration.
Notable ransomware groups, including Evil Corp, Octo Tempest, Black Basta, and Akira, have previously leveraged ESXi machines in their attacks. However, the current situation is more severe, with hackers increasingly targeting Active Directory systems in bulk.
Broadcom, a major player in enterprise security, has released a fix for this vulnerability. While the company has provided general mitigation advice, including keeping systems updated, enforcing multi-factor authentication, enabling passwordless authentication, and ensuring robust backup and recovery plans, it has not delved deeply into how attackers are compromising ESXi hypervisors.
For context, Broadcom acquired VMware, the virtualization software giant, in May 2022 for $68 billion, with the deal officially closing in November 2023.
It’s also worth noting that in early June 2024, the APT Inc group—formerly known as SE$i ransomware—collaborated with the Play Ransomware group and the notorious automation tool Prolific Puma. This collaboration targeted ESXi environments, leveraging automated domain registration with shortened links for their attacks.
Ad