Illustration: Supimol Kumying | Shutterstock
Security researchers have caught the BlackByte ransomware gang exploiting a recently patched vulnerability in VMware ESXi and multiple vulnerable drivers to break down security measures on target systems. CVE-2024-37085 vulnerability is an authentication bypass bug in VMware’s ESXi hypervisors.
Security researchers from Cisco Talos spotted the campaign. While investigating a recent ransomware attack, the researchers discovered that the intrusion was likely done via valid credentials that enabled access to the victim organisation’s VPN. Initial access was likely achieved by brute force.
Their report explains that given the group’s history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access may “represent a slight shift in technique or could represent opportunism.”
The group then escalated their privileges and used their newly acquired permissions to access the target organisation’s VMware vCenter server to create and add new accounts to the ESX Admins active directory group. This is where CVE-2024-37085 was exploited, allowing attackers to gain administrator privileges on the hypervisor by creating a group with its name and adding a user.
Finally, the attack ends in the encryptor locking all files on the affected system and overwriting them with the “blackbytent_h” extension. The encryptor also installs four vulnerable drivers as part of a BYOVD (Bring Your Own Vulnerable Driver) attack, a signature tactic used by the BlackByte group.
Researchers also highlighted the fact that the flaw was exploited within days of public disclosure, showcasing just how quick the group is at exploiting new vulnerabilities and incorporating them into its tactics. Additionally, researchers believe that the group is likely more active than it appears to be, with only an estimated 20 to 30 percent of the victims publicly posting.
In the News: Notion to exit the Russian market, terminate accounts by September 9