Microsoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited.
According to the Shadowserver Foundation, the vulnerability, identified as CVE-2024-37085, exposed 20,275 instances as of July 30, 2024.
The CVE-2024-37085 vulnerability is an authentication bypass flaw with a CVSS score of 6.8. It specifically affects domain-joined ESXi hypervisors, allowing attackers with sufficient Active Directory (AD) permissions to gain full administrative control over the hypervisor.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
This control can lead to severe consequences, including the encryption of the hypervisor’s file system, disruption of hosted virtual machines (VMs), data exfiltration, and lateral movement within the network.
Exploitation in the Wild
Microsoft researchers have observed multiple ransomware groups exploiting this vulnerability. These groups include Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. The exploitation typically involves creating a domain group named “ESX Admins” and adding users to it, thereby granting them full administrative privileges on the ESXi hypervisor.
One notable attack involved the deployment of Black Basta ransomware by the Storm-0506 group. The attackers gained initial access via a Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges.
They then used tools like Cobalt Strike and Pypykatz to steal credentials and move laterally within the network, ultimately creating the “ESX Admins” group to exploit the ESXi vulnerability.
The exploitation of CVE-2024-37085 has led to significant disruptions in affected organizations. Ransomware operators can encrypt the hypervisor’s file system by gaining full administrative access to ESXi hypervisors; rendering hosted VMs non-functional. This not only impacts the availability of critical services but also poses a risk of data loss and unauthorized access to sensitive information.
Mitigation and Recommendations
Broadcom has released security updates to address CVE-2024-37085. Administrators are strongly advised to apply these updates immediately to protect their systems. For versions of ESXi that do not receive patches, VMware recommends changing specific advanced settings to mitigate the vulnerability:
- Set
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAddto false. - Adjust
Config.HostAgent.plugins.vimsvc.authValidateIntervalfrom 1440 to 90. - Change
Config.HostAgent.plugins.hostsvc.esxAdminsGroupto an empty string[3][7].
Additionally, Microsoft recommends enforcing multifactor authentication (MFA) on all accounts, isolating privileged accounts from productivity accounts, and improving the security posture of critical assets like ESXi hypervisors and vCenters.
Organizations using VMware ESXi hypervisors should take immediate action to apply the recommended patches and follow best practices to mitigate the risk of ransomware attacks.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access