Great research for Microsoft here - Black Basta and Akira ransomware deployment using a logic flaw in VMware ESXi, using a zero day (which they don't mention).
If you get domain admin in Windows, you can make a group called "ESX Admins", and then you can log into ESXi - this allows you to encrypt non-Windows systems (and everything else in VMware)
https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
Kevin Beaumont /
npub176…fkwlw
2024-07-29 16:54:31
Author Public Key
npub176rs4lx7gjqwepgg75psfpv7zjj3xz0lyj4n7rux93ftm390sars6fkwlwPublished at
2024-07-29 16:54:31Event JSON
{
"id": "a5467db0058d9e3b57abd12217e3fda884ee02ef172122cc257153939c54123a",
"pubkey": "f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"created_at": 1722272071,
"kind": 1,
"tags": [
[
"proxy",
"https://cyberplace.social/users/GossiTheDog/statuses/112870822471780457",
"activitypub"
]
],
"content": "Great research for Microsoft here - Black Basta and Akira ransomware deployment using a logic flaw in VMware ESXi, using a zero day (which they don't mention). \n\nIf you get domain admin in Windows, you can make a group called \"ESX Admins\", and then you can log into ESXi - this allows you to encrypt non-Windows systems (and everything else in VMware)\n\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/",
"sig": "5e91fc73383e154ae6a4a99a5f270b950d15b38b307a107b1a5edc0d51bb849a74af25fb8fc2204c873ef1321a2c3528a62ed18c5421b6abd6e3353d8250c5ff"
}