After completing the form, the system will prompt you to select a meeting time.
On our first call, we will determine whether and how we can help. From there, we discuss your current state under the protection of a non-disclosure agreement and craft a tailored plan to move you and your company forward. Last, we carry out that plan together in a way that saves you time, money, and stress.
ESXi Hypervisor Vulnerability Under Active Exploitation
By
Matthew Fagan, Vulnerability Management Patch Analyst
By
Access Point Consulting
Summary
A threat intelligence advisory has been released by Microsoft Threat Intelligence regarding a vulnerability impacting VMware’s ESXi bare metal hypervisor. A patch has been released for the vulnerability, which is categorized as CVE-2024-37085 (CVSS 3.1: 6.8), yet it is actively being used by threat actors (i.e., Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest) in a ransomware campaign. The vulnerability is defined as an authentication bypass vulnerability, which allows a malicious actor with enough permissions to gain full access to an ESXi host through active directory (AD). This is done by re-creating the configured AD group (ESXi Admins) after it had been deleted from the active directory.
Impact
This vulnerability by itself is considered medium severity, but can be very impactful when used in tandem with other tactics because it can allow authentication bypass and administrator privileges over critical business infrastructure. Evidence indicates the vulnerability has been exploited by multiple threat actor groups.
The vulnerability impacts the ESXi v7.0, ESXi v8.0 and VMware Cloud Foundation 4.x and 5.x according to the response matrix detailed in the security advisory.
Remediation
Fixed versions have been released for ESXi v8.0 and VMware Cloud Foundation 5.x. Moving to Update 3 for ESXi and 5.2 for VMware Cloud Foundation will remediate this vulnerability.
There are also workarounds detailed in KB article 369707 that involve changing the following settings in the ESXi advanced options.
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to ""
Recommendations
Patch - Ransomware actors use multiple vulnerabilities and there are many steps in an attack chain. Breaking any one of these steps will prevent the vulnerability from being exploited. In this case, applying patches to remediate CVE-2023-28252 or CVE-2024-37085 will break this attack chain. If any of the steps indicated below are disrupted, the attack is halted. Follow vendor instructions and apply patches where applicable to effectively disrupt this attack chain.
Mitigate - Mitigations are provided; ensure that the group ESX admins exists and is hardened against attack. Advanced host settings are also available detailed above in the remediation section.
Prioritize - This vulnerability should be remediated with a high priority. It is being exploited by multiple threat actors and a clear vendor solution is available.
Monitor and Scan - Ensure alerts are enabled and audits are done through active directory to detect anomalous behavior. Vulnerability and asset scanning is crucial in detecting exposed assets, utilizing vulnerability scanning tools such as Microsoft Defender, Qualys, and Nessus are essential to detect vulnerabilities in critical assets.
Clean Credentials - Microsoft recommends utilizing credential hygiene methods due to the attack vector for this vulnerability. The attack requires existing access to credentials with sufficient permissions to perform the exploit. Enforcing MFA, authentication without passwords, and isolating privileged accounts are all recommended.
Last month, NIST published its first set of post-quantum cryptography (PQC) standards, setting a new benchmark for enterprises, government agencies, and vendors to withstand future cyberattacks from quantum computers. The time to start transitioning is now. Discover what’s at stake with CyberWatch.
Hospitals and healthcare providers have increasingly become targets of cyberattacks, which pose significant risks to patient care and safety. This document examines the various ways in which cyberattacks can disrupt hospital operations, compromise patient data security, and ultimately affect the quality of patient care. It also explores strategies and best practices that hospitals can implement to mitigate these risks and enhance their cybersecurity posture.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
Last month, NIST published its first set of post-quantum cryptography (PQC) standards, setting a new benchmark for enterprises, government agencies, and vendors to withstand future cyberattacks from quantum computers. The time to start transitioning is now. Discover what’s at stake with CyberWatch.
Every second Tuesday of the month, Microsoft releases patches to their applications, services, and operating systems. Typically, these patches include a myriad of security fixes and this time around, for September of 2024, 79 different vulnerabilities have been addressed, including 4 zero-day vulnerabilities and 10 critical vulnerabilities.
A newly uncovered phishing campaign is exploiting the growing popularity of CapCut, a video editing tool developed by ByteDance. The attackers are utilizing a technique known as reputational hijacking, which allows them to embed malware within a legitimate-looking package, bypassing Smart App Control (SAC) and leaving users vulnerable to data theft and system compromise. This campaign represents a significant escalation in the tactics used by threat actors to evade detection.