Microsoft researchers have found a critical vulnerability in VMware ESXi hypervisors. Moreover, ransomware operators are using this issue to attack systems.
Global risk
This vulnerability, CVE-2024-37085, allows threat actors to gain full administrative permissions on domain-joined hypervisors, thereby posing a serious risk to organizations around the world.
What is VMware ESXi?
VMware ESXi is a hypervisor installed directly on a physical server, which allows you to control and manage server resources. It is used to host important virtual machines (VMs) within a network.
The flaw in detail
The CVE-2024-37085 vulnerability revolves around a domain group called “ESX Admins”, which, by default, is granted full administrative access to VMware ESXi hypervisors without proper validation.
How the vulnerability is exploited
This flaw allows any domain user who can create or rename groups to escalate their privileges by adding themselves or other users to the “ESX Admins” group, thus gaining full control over the hypervisor.
Exploitation methods
Microsoft researchers identified three methods to exploit the vulnerability:
- Add the “ESX Admins” group to the domain and include a user.
- Rename an existing domain group to “ESX Admins”.
- Exploit the privilege update mechanism of the VMware ESXi hypervisor.
Exploit Impact
Successful exploitation allows threat actors to encrypt the hypervisor file system, potentially disrupting the functionality of hosted servers. In addition, attackers can access virtual machines, leak data and move laterally within the network.
Exploitation in the wild
Ransomware operators, including groups such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest, have been observed exploiting this vulnerability in numerous attacks on VMware ESXi-based systems.
Notable cases
These groups have deployed ransomware variants such as Akira and Black Basta to encrypt hypervisor file systems ; rendering hosted virtual machines unusable and able to exfiltrate data or move laterally within the network.
One particularly notable attack involved Storm-0506, which deployed the Black Basta ransomware. The attackers initially gained access through a Qakbot infection and exploited a Windows vulnerability (CVE-2023-28252) to elevate their privileges.
Tools used in the attack
They then used tools such as Cobalt Strike and Pypykatz to steal credentials and move laterally within the network, eventually creating the “ESX Admins” group and adding a user to it. This led to the encryption of the VMware ESXi file system and the disruption of hosted virtual machines.
Mitigation and protection
In response to these findings, VMware has released a security update to address CVE-2024-37085. Microsoft recommends that all organizations using domain-joined VMware ESXi hypervisors apply this update immediately.
Security recommendations.
In addition, administrators should:
- Validate the existence of groups: ensure that the “ESX Admins” group exists and is properly protected on VMware ESXi systems.
- Deny access: Manually deny access to this group or change the configuration of the administrative group on the hypervisor.
- Credential hygiene: Protect highly privileged accounts with multi-factor authentication (MFA) and isolate privileged accounts from productivity accounts.
- Improve critical asset posture: Identify and protect critical assets, such as VMware ESXi hypervisors, with the latest security updates, monitoring procedures and backup plans.
Stay vigilant
To protect against advanced threats, organizations must stay vigilant, update their VMware ESXi systems and follow strict security practices.