Microsoft researchers have observed multiple ransomware operators exploiting a recently patched vulnerability in ESXi hypervisors to gain full administrative control over domain-joined ESXi servers. This flaw, tracked as CVE-2024-37085, grants these threat actors the ability to encrypt file systems and disrupt critical virtual machines.
ESXi hypervisors, bare-metal hypervisors directly installed onto physical servers, host virtual machines essential to network operations. Gaining administrative permissions on these hypervisors gives ransomware operators the leverage to halt operations and potentially exfiltrate data.
How Ransomware Gangs are Exploiting the VMware ESXi Bug
The vulnerability resides in a domain group named “ESX Admins.” By default, any member of this group receives full administrative access to the ESXi hypervisor, without proper validation. This group doesn’t exist by default in Active Directory, yet ESXi hypervisors treat it as a legitimate admin group if created.
Microsoft disclosed this flaw to VMware via Coordinated Vulnerability Disclosure (CVD), leading VMware to release a security update. Microsoft advises ESXi server admins to apply these updates immediately to safeguard their systems.
Ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have already leveraged this technique. These operators have deployed ransomware such as Akira and Black Basta in numerous attacks, exploiting this vulnerability to create the “ESX Admins” group and adding themselves to it, thus gaining elevated privileges.
Further analysis revealed multiple methods to exploit this vulnerability. Threat actors could create the “ESX Admins” group, rename existing groups, or manipulate privilege refreshes to maintain control. Even when admins assign different groups for management, the hypervisor may still recognize the “ESX Admins” group, allowing continued exploitation.
In one incident, Storm-0506 used this flaw to deploy Black Basta ransomware against a North American engineering firm. The attackers first gained access via a Qakbot infection, then escalated privileges using another Windows vulnerability (CVE-2023-28252). With tools like Cobalt Strike and Pypykatz, they stole domain admin credentials, moved laterally across the network, and created the “ESX Admins” group to control the ESXi hypervisors.
This breach resulted in the encryption of the ESXi file system and disruption of hosted virtual machines. Although the attackers also targeted non-ESXi devices with PsExec, Microsoft Defender Antivirus thwarted these attempts on protected devices.
How to Mitigate these Attacks Against ESXi Servers
Hypervisors have become a preferred choice of target in the past few years for ransomware operators because of the following factors:
- Many security products have limited visibility and protection for an ESXi hypervisor.
- Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted. This could provide ransomware operators with more time and complexity in lateral movement and credential theft on each device they access.
To mitigate such attacks, Microsoft recommends organizations follow several protective measures. Key steps include:
- Install Security Updates: Apply VMware’s latest security updates on all domain-joined ESXi hypervisors. If updates are not feasible, validate and harden the “ESX Admins” group, deny access through ESXi settings, or change the admin group.
- Credential Hygiene: Enforce multifactor authentication (MFA), adopt passwordless methods, and separate privileged accounts from regular productivity accounts. This minimizes the risk of privilege escalation by threat actors.
- Monitor and Detect: Implement custom detections in extended detection and response (XDR) or security information and event management (SIEM) systems for new group names. Ensure ESXi logs are sent to a SIEM for monitoring suspicious activities.
- Protect Critical Assets: Regularly update and monitor critical assets like ESXi hypervisors and vCenters. Ensure robust backup and recovery plans are in place to mitigate potential disruptions.
Microsoft continues to emphasize the importance of collaboration among researchers, vendors, and the security community. Sharing intelligence and advancing defenses is crucial to protect users and organizations from evolving threats.