Cyber999 Advisories

Overview Contact Advisories Incident Statistics
Share this page :
7 September 2024     Advisory

MA-1138.092024: MyCERT Advisory - BlackByte Ransomware Exploits VMware ESXi

1.0 Introduction

Recently, BlackByte ransomware group is actively exploiting a recently patched authentication bypass vulnerability in VMware ESXi hypervisors to deploy ransomware and gain full administrative access to victim networks. This vulnerability, tracked as CVE-2024-37085.


2.0 Impact

By exploiting this vulnerability, the authentication bypass flaw allows attackers to gain administrator access, thereby compromising virtual machines and exploiting security control.


3.0 Affected Products

  • VMware ESXi hypervisor


4.0 Indicators of Compromised (IOCs)

Hashes (SHA-256)
Description
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
RtCore64.sys
0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
DBUtil_2_3.sys
543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
zamguard64.sys
31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
gdrv.sys


5.0 Mitre Att&ck Framework

Tactic: Technique ID: Tactic, Technique, Sub-Technique Description:
Initial Access T1078.002 Initial Access: Valid Accounts: Domain Accounts
T1078.003 Valid Accounts: Local Accounts
Discovery T1018 Discovery: Remote System Discovery
T1083 Discovery: File and Directory Discovery
Persistence T1136.002 Persistence: Create Account: Domain Account
Execution T1204 Execution: User Execution
T1569.002 Execution: System Services: Service Execution
Privilege Escalation T1543 Privilege Escalation: Create or Modify System Process
T1484.001 Privilege Escalation: Domain Policy Modification
T1484 Privilege Escalation: Domain Modification
T1098 Privilege Escalation: Account Manipulation
Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares
T1021.001 Remote Services: Remote Desktop Protocol
T1210< Exploitation of Remote Services
Resource Development T1608 Resource Development: Stage Capabilities
Defense Evasion T1562.001 Defense Evasion: Impair Defenses: Disable or Modify Tools
T1112 Defense Evasion: Modify Registry
T1070.004 Defense Evasion: Indicator Removal: File Deletion
T1211 Defense Evasion: Exploitation for Defense Evasion
Impact T1529 Impact: System Shutdown/Reboot
T1486 Impact: Data Encrypted for Impact


6.0 Recommendations

CyberSecurity Malaysia encourages users and administrators to review the Broadcom’s Security Advisories and apply the necessary updates.

Kindly refer to the following URL:https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505


For further enquiries, please contact Cyber999 through the following channels:


E-mail: cyber999[at]cybersecurity.my 

Phone: 1-300-88-2999 (monitored during business hours)  

Mobile: +60 19 2665850 (24x7 call incident reporting) 

Business Hours: Mon - Fri 08:30 -17:30 MYT 

Web: https://www.mycert.org.my 


7.0 References
Search
Type
Archives
logo
CyberSecurity Malaysia is the national cyber security specialist agency under the purview of the Ministry of Digital (KD)
 
Select User Category
Contact Us

  • CyberSecurity Malaysia,
    Level 7 Tower 1, Menara Cyber Axis, Jalan Impact,
    63000 Cyberjaya, Selangor Darul Ehsan, Malaysia.

  • enquiry@cybersecurity.my

  • +603 - 8800 7999

  • +603 - 8008 7000

COPYRIGHT © CYBERSECURITY MALAYSIA

CONTACT US | DISCLAIMER | PERSONAL DATA PROTECTION NOTICE | SITEMAP

TOP
ASK Byte
Chatbot Portal

Hi, I am ASK Byte. Please submit your questions about the portal and I will try to get answers from online knowledge stores.

Hi, Saya Admin Chatbot. Saya sedia chat dengan anda secara terus. Bagaimana saya boleh membantu anda?

Click the button below to interact with the CSM chatbot

Proceed