Ransomware groups have been actively exploiting a critical vulnerability in VMware ESXi hypervisors to deploy file-encrypting malware and gain elevated permissions.

Description

Ransomware groups like Storm-0506 [3] [6] [7], Storm-1175 [3] [7] [8], Manatee Tempest [3] [8], and Octo Tempest have been exploiting a critical vulnerability (CVE-2024-37085) in VMware ESXi hypervisors to gain elevated permissions and deploy file-encrypting malware such as Akira and Black Basta. This flaw allows attackers with sufficient Active Directory permissions to create a new domain group named “ESX Admins” to escalate their privileges to unrestricted admin, leading to ransomware deployment [5] [6] [8], data exfiltration [8], and lateral movement [3] [8]. In one attack by Storm-0506 [3], the vulnerability was used to gain elevated permissions to ESXi hypervisors after an initial foothold was obtained through a QakBot infection and exploiting another flaw in the Windows Common Log File System Driver for privilege escalation. The attack involved dropping Cobalt Strike Beacon and using a combination of custom and readily-available tools for reconnaissance [3], as well as relying on RDP and SMB for lateral movement. ZLoader [3], a C/C++ backdoor [3], has been used to deliver Black Basta [3], moving away from QakBot and DarkGate [3]. Organizations are urged to patch this vulnerability immediately to prevent attacks like the Black Basta ransomware deployment observed in a recent incident [6]. It is also recommended to install the latest software updates [3], practice credential hygiene [3], enforce two-factor authentication [3], and implement monitoring procedures and backup and recovery plans to safeguard critical assets. Microsoft researchers discovered the flaw and warned that attacks could impact critical network servers [4]. VMware has released patches for ESXi 7.0 and 8.0 [1], as well as VMware Cloud Foundation 4.x and 5.x [1], with workarounds available for users unable to immediately update [1]. Previous ransomware attacks on ESXi servers and the presence of backdoors from cyberespionage groups underscore the ongoing security challenges faced by VMware [1]. Ransomware operators have been exploiting CVE-2024-37085 [2], an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors [2], to gain full administrative access and encrypt the file system [2]. VMware owner Broadcom released a fix on June 25, 2024 [2], but did not initially disclose that the zero-day vulnerability was actively exploited [2]. Attackers have been using custom Linux encryptors to target ESXi hypervisors [2], leveraging vulnerabilities like CVE-2024-37085 for easy encryption of multiple virtual machines [2]. By compromising domain administrator credentials [2], threat actors create a group named “ESX Admins” in the domain to gain full administrative access on the ESXi hypervisor [2]. Admins are advised to upgrade to ESXi 8.0 Update 3 or VMware Cloud Foundation 5.2 to mitigate the risk [2]. The vulnerability allows any member of the “ESX Admins” group to have admin privileges over the ESXi server [2], a feature that was documented years ago [2].

Conclusion

The impact of ransomware attacks exploiting CVE-2024-37085 on VMware ESXi hypervisors underscores the importance of immediate patching and implementing security measures to prevent unauthorized access and data encryption. Organizations must remain vigilant against evolving threats and prioritize cybersecurity to safeguard critical assets.

References

[1] https://www.csoonline.com/article/3478658/vmware-esxi-hypervisor-vulnerability-grants-full-admin-privileges.html
[2] https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited/
[3] https://thehackernews.com/2024/07/vmware-esxi-flaw-exploited-by.html
[4] https://www.techtarget.com/searchsecurity/news/366599377/Microsoft-Ransomware-gangs-exploiting-VMware-ESXi-flaw
[5] https://duo.com/decipher/ransomware-groups-exploit-vmware-esxi-flaw
[6] https://arstechnica.com/security/2024/07/hackers-exploit-vmware-vulnerability-that-gives-them-hypervisor-admin/
[7] https://securityaffairs.com/166295/cyber-crime/ransomware-gangs-exploit-cve-2024-37085-vmware-esxi.html
[8] https://www.darkreading.com/cloud-security/ransomware-gangs-exploit-esxi-bug-for-instant-mass-encryption-of-vms