BlackByte Ransomware Group Targets VMware ESXi Bug

August 28, 2024 | The BlackByte ransomware group is exploiting a new authentication bypass vulnerability in VMware ESXi, signaling a shift from their traditional tactics. Researchers at Cisco Talos reported that BlackByte, believed to be an offshoot of the Conti gang, typically uses vulnerable drivers and legitimate tools to bypass security.

The newly exploited bug, CVE-2024-37085, was recently added to CISA’s Known Exploited Vulnerabilities catalog. This marks a departure from BlackByte’s usual methods, which included phishing and credential stuffing.

Austin Berglas of BlueVoyant noted that the exploitation of this vulnerability requires more persistence, indicating a deeper attack strategy that seeks to gain administrative access rather than just initial entry.

Callie Guenther of Critical Start emphasized the importance of targeting VMware ESXi, as it underpins many enterprise applications. “This shift shows their willingness to adopt cutting-edge methods, increasing the pressure on victims to pay the ransom,” she said.

[Read the full article]

Newsletter Signup

Stay up-to-date on the latest resources and news from CRITICALSTART.
Analyst-Led Cybersecurity with AI Assistance. Upcoming Webinar - December 17
This is default text for notification bar