Featured Story
Over 20,000 internet-exposed VMware ESXi instances vulnerable to CVE-2024-37085
Researchers from the Shadowserver Foundation have reported that approximately 20,000 VMware ESXi servers exposed online are impacted by the exploited vulnerability CVE-2024-37085. This flaw is an authentication bypass vulnerability in VMware ESXi. Microsoft has warned that multiple ransomware gangs are exploiting this recently patched vulnerability.
The flaw allows a malicious actor with sufficient Active Directory permissions to gain full access to an ESXi host by recreating the configured AD group after it was deleted from AD.
Any reported ESXi instance should be treated as potentially vulnerable. Broadcom has released a patch for ESXi 8.0 and VMware Cloud Foundation 5.x. A workaround is also available if patching is not immediately possible. Contact us if assistance is needed.
Other Stories
A crafty phishing campaign targets Microsoft OneDrive users
A sophisticated phishing campaign has been targeting Microsoft OneDrive users with HTML files posing as DNS fixes. The campaign uses PowerShell to execute scripts that download and run malicious payloads using AutoIt.
This campaign has not yet reached wide circulation in Europe, but preventive measures like Microsoft Defender for Office 365 can mitigate the threat. If you’d like your Microsoft 365 environment reviewed, reach out to us.
Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft
Threat actors are hijacking social media pages, disguising them as AI photo editors, and pushing malvertising campaigns to distribute malware like Lumma Stealer. The attack relies on phishing, fake software, and credential theft.
Be extremely cautious when downloading unknown software, even from “sponsored” posts. Avoid using personal or work devices to test free tools, and refer to TrendMicro’s IOCs for deeper threat detection.
Sitting Ducks attack technique exposes over a million domains to hijacking
The Sitting Ducks attack exploits DNS misconfigurations to hijack domains without needing access to the owner’s account. Over 1 million domains are exposed daily, making this a significant global threat with observed Russian-linked activity.
Although mainly targeting DNS providers, end users should stay vigilant. Always verify unexpected website behaviors, avoid suspicious links, and navigate directly to known URLs. Report anything suspicious to Safeonweb.
Contact the Approach Cyber SOC team for tailored support and training programs.