Ransomware Gangs Exploiting VMware ESXi Authentication Bypass Vulnerability in Widespread Attacks

Microsoft warns of active exploitation of CVE-2024-37085 flaw

Microsoft recently issued a warning stating that several ransomware groups are actively taking advantage of a medium-severity vulnerability, tracked as CVE-2024-37085, in VMware ESXi to escalate privileges and execute ransomware attacks. The vulnerability, which was originally discovered and reported by Microsoft security researchers Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto, enables an attacker to add a new user to an ‘ESX Admins’ group they create, granting that user full administrative privileges on the ESXi hypervisor. As Broadcom explains: “A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi [sic] Admins’ by default) after it was deleted from AD. Several ESXi advanced settings have default values that are not secure by default. The AD group “ESX Admins” is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.” While exploiting this vulnerability requires an attacker to already have high privileges on the target ESXi device and user interaction, Microsoft has observed ransomware groups leveraging it to launch further attacks. This enables theft of sensitive VM data, lateral movement through networks, and encryption of the ESXi file system.

Attack Tactics Involving the VMware ESXi auth bypass Vulnerability

Microsoft identified three common tactics being used by ransomware groups to exploit CVE-2024-37085:

• Adding the “ESX Admins” group to the domain and adding a user.
• Renaming any existing group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.
• Forcing a privileges refresh on the ESXi hypervisor, which assigns other groups full admin access without removing them from the “ESX Admins” group.

Black Basta and Akira Ransomware Groups Observed Exploiting the Flaw

Several ransomware operations tracked as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest were observed leveraging this vulnerability in attacks resulting in deployments of the Akira and Black Basta ransomware strains. For example, Storm-0506 utilized the VMware ESXi authentication bypass to deploy Black Basta on the hypervisors of a North American engineering firm after initial intrusion via Qakbot and credential theft. The actor was then able to move laterally between domain controllers and hosts.

Growing Targeting of ESXi Hypervisors heightens Risk

Microsoft notes that involvement of Incident Response engagements related to targeted ESXi hypervisors has more than doubled in the last three years. While ransomware typically focuses on encrypting productive systems and backups, adversaries are increasingly recognizing ESXi as a critical infrastructure system hosting important workloads and data. As such, exploitation of vulnerabilities like CVE-2024-37085 allows adversaries to more swiftly acquire complete control over ESXi hosts, leading to outages or full encryption of hosted VMs and files. Unless addressed, this trend of ESXi targeting is expected to continue intensifying risks for organizations.

Conclusion

In summary, Microsoft’s warning highlights active ransomware exploitation of a critical VMware ESXi authentication bypass flaw to escalate privileges and execute damaging attacks. With adversaries increasingly focusing on ESXi infrastructures, prompt patching of exposed systems and tightening of AD security profiles is strongly recommended help reduce risks. Continued monitoring and reporting of emerging threats will also help stay ahead of adversarial IT/OT targeting techniques.