In September 2024, GoSecure Threat Hunters selected a critical vulnerability, CVE-2024-37085, affecting VMware ESXi hypervisors. This vulnerability, which allows for privilege escalation, could give attackers administrative access to ESXi hosts. Such access could lead to ransomware deployment, data theft, and control over key assets within virtual environments.
Why This Matters
VMware ESXi hypervisors are prime targets for ransomware campaigns due to their widespread usage in virtualized environments. Attackers with elevated privileges could wreak havoc by spreading ransomware quickly across networks. It’s essential that organizations remain vigilant and act promptly to secure their systems.
Detection and Monitoring
GoSecure Threat Hunters have been actively hunting for signs of this vulnerability being exploited. While no specific activity has been detected thus far, we continue to monitor all systems for suspicious behavior and have introduced new detection rules to protect against potential exploitation. For more details on this threat hunt, we recommend reaching out directly to our team.
Recommendations
We strongly encourage all organizations using domain-joined VMware ESXi hypervisors to apply the latest security patches from VMware. If patching is not possible, consider implementing additional security measures, such as restricting access to administrative groups and closely monitoring ESXi logs for unusual activities.
Conclusion
The GoSecure Threat Hunting team remains dedicated to safeguarding your infrastructure against emerging threats like CVE-2024-37085. For more information on how we’re addressing this vulnerability or how our MXDR services can help, contact us directly (888)-287-5858 or info@gosecure.ai.
Stay secure!
Your GoSecure Threat Hunting Team
