Attacks exploiting the already patched medium severity VMware ESXi authentication bypass flaw, tracked as CVE-2024-37085, have been launched by several ransomware operations to facilitate Akira and Black Basta ransomware infections, BleepingComputer reports.
Vulnerable VMware ESXi hypervisors belonging to a North American engineering firm have been compromised by the Storm-0506 ransomware group with Black Basta after achieving initial network access via Qakbot, privilege escalation through the exploitation of the Windows CLFS bug, tracked as CVE-2023-28252, and the utilization of Cobalt Strike and Pypikatz for domain admin credential exfiltration, according to an analysis from Microsoft.
Such findings come as ransomware operations increasingly focus on VMware ESXi virtual machine encrypting lockers in a bid to accelerate hypervisor compromise and better maintain access to the breached instances.
"The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years," Microsoft added.
