Security researchers have discovered that the BlackByte ransomware group is actively exploiting a recently patched authentication bypass vulnerability in VMware ESXi hypervisors to deploy ransomware and gain full administrative access to victim networks.
The vulnerability, tracked as CVE-2024-37085, allows attackers to bypass authentication on VMware ESXi systems that are joined to an Active Directory domain.
By exploiting this flaw, the BlackByte operators can create a malicious “ESX Admins” group and add users to it, automatically granting them full administrative privileges on the ESXi hypervisor.
Cisco Talos researchers observed BlackByte leveraging this vulnerability in recent attacks, noting that the group is “continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor.”
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Exploit Chain:
- Initial access is gained through valid VPN credentials, likely obtained via brute-force attacks.
- The attackers escalate privileges by compromising Domain Admin accounts.
- They create an “ESX Admins” Active Directory group and add malicious accounts to it.
- This grants the attackers full administrative access to domain-joined ESXi hypervisors due to the CVE-2024-37085 vulnerability.
- The BlackByte ransomware is then deployed, which uses a self-propagating mechanism to spread across the network.
The latest version of the BlackByte ransomware appends the “.blackbytent_h” extension to encrypted files. It also drops four vulnerable drivers as part of its Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security controls:
- RtCore64.sys (MSI Afterburner driver)
- DBUtil_2_3.sys (Dell firmware update driver)
- zamguard64.sys (Zemana Anti-Malware driver)
- gdrv.sys (GIGABYTE driver)
It also creates “and operates primarily out of the “C:SystemData” directory. Several common files are created in this directory across all BlackByte victims, including a text file called “MsExchangeLog1.log”, which appears to be a process tracking log where execution milestones are recorded as comma-separated “q”, “w”, and “b”,” Talos said.
Notably, the ransomware binary appears to contain stolen credentials from the victim environment, allowing it to authenticate and spread to other systems using SMB and NTLM.
Microsoft researchers have also observed multiple ransomware groups, including Storm-0506 and Storm-1175, exploiting CVE-2024-37085 in attacks leading to Akira and Black Basta ransomware deployments.
BlackByte has targeted a wide range of industries without a strong focus on any particular sector. Their victims span critical infrastructure, private companies, and government entities across multiple sectors.
Organizations are strongly advised to patch their VMware ESXi systems to version 8.0 U3 or later to address this vulnerability. If patching is not immediately possible, VMware has provided workarounds involving changing specific ESXi advanced settings.
The BlackByte group’s quick adoption of this vulnerability highlights the ongoing arms race between cybercriminals and defenders. As ransomware tactics continue to evolve, organizations must remain vigilant and prioritize timely patching and security hardening of critical infrastructure components like virtualization platforms.
Defenders should monitor for suspicious Active Directory group creation, unexpected privilege escalation on ESXi hosts, and signs of lateral movement using compromised credentials. Implementing strong access controls, network segmentation, and robust backup strategies remain crucial in mitigating the impact of potential ransomware attacks targeting virtualized environments.
VMware has released a security update to address CVE-2024-37085. Here you can find more details.
- Immediate Patch Application: Administrators should prioritize applying the security patches provided by VMware to all affected systems.
- Network Segmentation: Isolate critical systems and limit network access to the management interfaces of VMware ESXi and vCenter Server.
- Monitoring and Logging: Implement robust monitoring and logging mechanisms to detect any unauthorized access attempts.
- Regular Audits: Conduct regular security audits and vulnerability assessments to ensure the integrity of the virtualized environment.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial