Microsoft: Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Reference: CVE-2024-37085 (6.8 medium, disclosed 25 June 2024 by Broadcom VMware ESXi authentication bypass vulnerability.
Microsoft uncovered evidence of VMware ESXi hypervisors being exploited by ransomware threat actors using CVE-2024-37085. This includes Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest... deploying Akira and Black Basta ransomware. They provide a technical analysis of CVE-2024-37085 and a case study of Storm-0506 leveraging it to deploy Black Basta (honorable mention: Qakbot initial infection followed by exploitation of Windows CLFS vulnerability CVE-2023-28252). No IOC, but threat hunting queries are provided.

cc: @SwiftOnSecurity

#CVE_2024_37085 #threatintel #ransomware #qakbot #storm0506 #storm1175 #octotempest #manateetempest #vmware #CVE_2023_28252

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption | Microsoft Security Blog

Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them.

^{Microsoft Threat Intelligence (Microsoft Security Blog)}