VMware, ServiceNow, Acronis Vulnerabilities Exploited: 5 Things To Know
- by nlqip
New disclosures Monday pointed to attacks exploiting vulnerabilities in the three vendors’ platforms.
New disclosures Monday revealed attacks exploiting vulnerabilities in widely used platforms from VMware, ServiceNow and Acronis.
The attacks have included exploits of two critical-severity vulnerabilities in ServiceNow’s Now Platform as well as a critical vulnerability affecting Acronis Cyber Infrastructure.
[Related: SentinelOne CEO: Cybersecurity Shouldn’t Require Constant Updates]
Meanwhile, an exploited VMware ESXi vulnerability has been rated as a medium-severity issue, though it has reportedly been leveraged in attacks by multiple ransomware operators.
What follows are five things to know about the cyberattacks exploiting vulnerabilities in VMware, ServiceNow and Acronis platforms.
VMware ESXi Vulnerability
In a post Monday, Microsoft disclosed that the flaw in VMware ESXi hypervisors has been “exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.”
The vulnerability is tracked at CVE-2024-37085. It was fixed in connection with the release of ESXi 8.0 in late June, according to Broadcom, which owns VMware.
In an advisory, Broadcom said that the vulnerability — as well as two others, tracked at CVE-2024-37086 and CVE-2024-37087 — are considered “medium” severity issues.
The flaw “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft researchers wrote.
The attackers’ goal in exploiting the flaw has been to “elevate their privileges to full administrative access on the ESXi hypervisor,” the researchers wrote.
VMware ESXi Attacks
In the Microsoft post, researchers said the VMware ESXi vulnerability has been “utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks.”
The attacks have included the deployment of Black Basta and Akira ransomware variants, the Microsoft researchers said.
In one attack “earlier this year,” researchers said that “an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506.”
“During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization,” the researchers wrote.
CRN has reached out to Broadcom for further comment.
ServiceNow Input Validation Flaw
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that a pair of critical-severity ServiceNow vulnerabilities have seen exploitation in attacks.
CISA added the two flaws to its catalog of vulnerabilities known to have seen exploitation in the wild Monday.
The first vulnerability, tracked at CVE-2024-4879, is an “improper input validation” flaw. “This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform,” according to a page for the bug on the National Vulnerability Database website.
In response to an inquiry from CRN, ServiceNow said that it “learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases” on May 14. “That day, we deployed an update and have since issued a series of patches designed to address the issue,” the company said.
“Based on our investigation to date, we have not observed evidence that any malicious activity is related to instances that ServiceNow hosts,” the company said. “We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches.”
ServiceNow Disallowed Inputs Flaw
A second critical-severity ServiceNow vulnerability was added by CISA to its catalog of exploited vulnerabilities Monday. The “incomplete list of disallowed inputs” flaw is tracked at CVE-2024-5217.
“This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform,” according to a page for the issue on the National Vulnerability Database website.
Acronis Cyber Infrastructure Flaw
CISA also added a critical-severity bug affecting Acronis Cyber Infrastructure (ACI), tracked at CVE-2023-45249, to its catalog of exploited vulnerabilities Monday. Multiple versions of ACI are impacted.
The insecure default password flaw in ACI can enable “remote command execution due to use of default passwords,” according to a page for the issue on the National Vulnerability Database website.
CRN has reached out to Acronis for comment.
Source link
lol
New disclosures Monday pointed to attacks exploiting vulnerabilities in the three vendors’ platforms. New disclosures Monday revealed attacks exploiting vulnerabilities in widely used platforms from VMware, ServiceNow and Acronis. The attacks have included exploits of two critical-severity vulnerabilities in ServiceNow’s Now Platform as well as a critical vulnerability affecting Acronis Cyber Infrastructure. [Related: SentinelOne CEO:…
Recent Posts
- Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
- Healthcare Ransomware Attacks: How to Prevent and Respond Effectively | BlackFog
- Black Friday Versus The Bots
- Over 2,000 Palo Alto firewalls hacked using recently patched bugs
- Chinese hackers target Linux with new WolfsBane malware