Attacks leveraging the recently disclosed VMware ESXi authentication bypass flaw, tracked as CVE-2024-37085, were reported by Cisco Talos Incident Response team researchers to have been conducted by the BlackByte ransomware operation, which is thought to have branched off the Conti ransomware group, according to SC Media.
With BlackByte commonly targeting known vulnerabilities and utilizing credential-stealing tools, web shells, and Cobalt Strike in compromising targeted networks, such intrusions were noted by BlueVoyant Global Head of Professional Services and Critical Start Senior Manager of Cyber Threat Research Callie Guenther to be a significant shift for the ransomware gang.
"By pivoting from established methods to exploiting the new CVE-2024-37085 vulnerability in VMware ESXi, the e-crime group is adapting its tactics to take advantage of a newly discovered weakness, potentially making their attacks more effective and harder to predict or defend against," said Berglas, who noted that the exploitation of the flaw, which was only added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog in late July, was similar to advanced persistent threat operations.