Ransomware gangs seen exploiting VMware ESXi flaw in the wild

CISA releases list of top 25 most dangerous software weaknesses for 2024

Ransomware gangs seen exploiting VMware ESXi flaw in the wild

Security researchers warn of hackers exploiting CVE-2024-37085, first revealed by VMware a week ago.

Microsoft’s Threat Intelligence team has warned of several ransomware operators exploiting a recently revealed bug in VMware’s ESXi hypervisors.

The vulnerability (CVE-2024-37085) was disclosed by VMware on July 25 and is an authentication bypass issue.

VMware warned at the time that the exploit could lead to a threat actor gaining “full access to an ESXi host.” VMware released several updates and fixes after Microsoft researchers initially discovered the vulnerability.

“VMware has assessed the severity of this issue in the moderate severity range,” VMware said at the time.

However, Microsoft has seen the vulnerability exploited in the wild, with the ability to lead to “bulk encryption” of vulnerable networks.

The problem is that ESXi hypervisors are bare metal installations on a physical server and often run a large number of critical virtual machines.

“In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which can impact the ability of hosted servers to run and function,” the team said. Microsoft Threat Intelligence in a July 29 blog post.

“It also allows the threat actor to access hosted virtual machines and possibly exfiltrate data or move laterally within the network.”

Microsoft researchers have seen ransomware deployments from several well-known gangs, including Akira and Black Basta. The hackers were able to run a couple of commands to create a group called “ESX Administrators” on a target domain and then add a single user to it.

From there, the hackers were able to elevate their privileges to full administrative access on the target ESXi hypervisor.

“Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group called ‘ESX Administrators’ to have full administrative access by default,” Microsoft said.

“This group is not an Active Directory-integrated group and does not exist by default. “ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treat any member of a group with this name with full administrative access, even if the group did not originally exist.”

At this point, the ransomware operator can encrypt the entire hypervisor file system and extract data at will.

According to Microsoft, attacks on ESXi hypervisors “have more than doubled in the last three years.”

Scott Caveza, a research engineer at Tenable, said such an attack could have a crippling effect on a company or organization.

“These financially motivated groups quickly encrypt or lock down as many hosts as possible, maximizing the impact for a victim organization in the hope of a sizeable ransom payment. To deploy ransomware and extract data, they rely heavily on phishing, credential theft, as well as exploiting known and exploitable vulnerabilities that have not been patched by unsuspecting organizations,” Caveza said.

“This provides a large attack surface; however, it is important to note that exploitation is highly dependent on the host being configured to use AD for user management.”

Leave a Reply

Your email address will not be published. Required fields are marked *