Several threat groups are exploiting an authentication bypass vulnerability in VMware ESXi hypervisors as part of their attacks that infect victims with ransomware like Akira and Black Basta. The flaw gives threat actors full administrative permissions on domain-joined hypervisors.
VMware disclosed and issued fixes for the vulnerability (CVE-2024-37085) in a June 25 advisory and said that it was “moderate severity,” with a CVSS severity score of 6.8 out of 10, but a threat advisory from Microsoft on Monday revealed that the bug has been exploited in various ransomware attacks. Patches for the flaw are available for ESXi version 8.0 and VMware Cloud Foundation 5.x, but no patches are planned for ESXi version 7 or VMware Cloud Foundation 4.x, according to VMware.
“Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks,” according to Microsoft’s threat intelligence team in a Monday analysis. “In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments.”
According to VMware, which didn’t mention any detected exploitation in its security advisory, a bad actor with “sufficient Active Directory (AD) permissions” could gain full access to hosts that were previously configured to use AD for user management, by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. Meanwhile, Microsoft's analysis said: "VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named 'ESX Admins' to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default."
“Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function,” according to Microsoft researchers. “It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”
“Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks."
In one particular attack, Microsoft researchers observed a ransomware operator that it tracks as Storm-0506 targeting the flaw as part of an attack that deployed the Black Basta ransomware against an unnamed engineering firm in North America. Researchers said Storm-0506 gained initial access to the company through an existing Qakbot infection. The threat actor then exploited a Windows Common Log File System flaw (CVE-2023-28252) in order to elevate privileges, deployed Cobalt Strike and a Python version of Mimikatz to steal domain administrator credentials, and moved laterally to domain controllers.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” according to researchers.
Vulnerabilities have previously been found in ESXi, with a pair of use-after-free bugs found earlier this year (CVE-2024-22252 and CVE-2024-22253) potentially allowing attackers with local administrative privileges on virtual machines to execute code as the virtual machine's VMX process running on the host.
At the same time, threat actors are increasingly targeting ESXi hypervisors, with Microsoft researchers noting that incident response engagements that impacted ESXi hypervisors have more than doubled over the past three years. Part of that is because ESXi is a popular product in corporate networks, but also the impact of ransomware encrypting ESXi hypervisor file systems has a bigger bang for the buck due to VMs being impacted.
“Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target,” according to researchers.