VMware patched a vulnerability in its ESXi hypervisor last week, but Microsoft has revealed that it has already been exploited by ransomware groups to gain administrative permissions.
VMware ESXi is a hardware hypervisor that enables the creation and management of virtual machines directly on server hardware, which can include critical servers. CVE-2024-37085 is an authentication bypass vulnerability that allows malicious actors with sufficient permissions to gain full access to a domain-joined ESXi host.
The problem arises when the configured Active Directory group is deleted and recreated, as any user added to a new group called “ESX Administrators” will have administrator privileges by default. A domain group can also simply be renamed to “ESX Administrators” and all new or existing members will have administrative privileges.
But to exploit the CVE-2024-37085 vulnerability, the hacker needs to have privileged access to the Active Directory environment, which they must have obtained through a previous successful cyberattack. The organization must also have joined their ESXi host to the Active Directory for user management purposes, something many do for convenience.
VMware owner Broadcom released several fixes for affected devices between June 25 and July 25. The vulnerability affects ESXi versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x, but patches were only deployed for ESXi 8.0 and VMware Cloud Foundation 5.x. It has a relatively low CVSS severity score of 6.8.
However, on July 29, Microsoft’s threat intelligence team published a report stating that CVE-2024-37085 has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, and has led to deployments of Akira and Black Basta ransomware. These network exploits were not mentioned in Broadcom’s advisory.
SEE: Black Basta ransomware affected more than 500 organizations worldwide
Microsoft stated: “In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean the threat actor can encrypt the file system, which can impact the ability of hosted servers to run and function. It also allows the threat actor to access hosted virtual machines and potentially exfiltrate data or move laterally within the network.”
How malicious actors exploited CVE-2024-37085
CVE-2024-37085 originates from Active Directory domain-joined ESXi hypervisors that automatically grant full administrative access to any member of a domain group named “ESX Admins.”
This group does not exist by default, but cybercriminals can easily create one with the command “net group 'ESX Admins' /domain /add”. Membership of this group is also determined by name and not by security identifier (SID), so adding a member is also trivial.
“Any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group and then adding themselves, or other users under their control, to the group,” Microsoft researchers wrote.
According to Microsoft, cybercriminals could exploit CVE-2024-37085 by doing one of the following:
- Creating an Active Directory group called “ESX Administrators” and adding a user. This is the only technique used in practice.
- Rename any group in the domain to “ESX Admins” and add a user to the group or use an existing group member.
- Taking advantage of the fact that even if the network administrator assigns another group in the domain to manage ESXi, members of “ESXi Admins” still retain their administrator privileges for a period of time.
Microsoft says the number of incident response actions involving attacks and repercussions on ESXi hypervisors has more than doubled over the past three years. This suggests they have become popular targets because many security products have limited visibility and protection for an ESXi hypervisor and its file systems allow for bulk encryption with a single click.
Several ransomware-as-a-service groups have developed ESXi-specific malware since 2021, including Royal, Play, Cheers, and TargetCompany.
SEE: Ransomware Cheat Sheet: Everything You Need to Know in 2024
Earlier this year, Storm-0506 attempted to deploy the Black Basta ransomware on the system of an unnamed North American engineering firm using the CVE-2024-37085 vulnerability. The group gained initial access via a Qakbot infection and then exploited a Windows CLFS privilege escalation vulnerability. The hackers then used the Pypykatz tool to steal domain controller credentials before taking further steps to establish persistent access.
Finally, the group used the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors. Microsoft observed that the threat actor created an “ESX Administrators” group and added a new user before encrypting the ESXi file system and taking control of virtual machines hosted on the ESXi hypervisor.
Recommendations for VMware ESXi Operators
- Install the latest software updates released by VMWare on all domain-joined ESXi hypervisors.
- Use good credential hygiene to prevent threat actors from accessing the privileged account needed to exploit the CV-2024-37085 vulnerability. Use multi-factor authentication, passwordless authentication methods, and authenticator apps, and isolate privileged accounts from productivity accounts.
- Identify critical assets, such as ESXi hypervisors and vCenters, and ensure they have the latest security updates, proper monitoring procedures, and backup and recovery plans.
- Identify vulnerabilities in network devices through SNMP scanning and receive security recommendations.
