Microsoft researchers have found a critical vulnerability in VMware’s ESXi hypervisors. Ransomware operators are using this problem to attack systems.
This vulnerability, CVE-2024-37085, allows threat actors to gain full administrative permissions on domain-joined ESXi hypervisors, posing a severe risk to organizations worldwide.
VMware ESXi is a hypervisor installed directly on a physical server, which lets you control and manage the server’s resources. It’s used to host important virtual machines (VMs) within a network.
The CVE-2024-37085 vulnerability revolves around a domain group named “ESX Admins,” which, by default, is granted full administrative access to ESXi hypervisors without proper validation.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
This flaw allows any domain user who can create or rename groups to escalate their privileges by adding themselves or other users to the “ESX Admins” group, thereby gaining full control over the ESXi hypervisor.
Microsoft researchers identified three methods for exploiting the vulnerability:
- Adding the “ESX Admins” group to the domain and including a user
- Renaming an existing domain group to “ESX Admins”
- Exploiting the ESXi hypervisor’s privilege refresh mechanism
Successful exploitation allows threat actors to encrypt the hypervisor’s file system, potentially disrupting the functionality of hosted servers. Additionally, attackers can access VMs, exfiltrate data, and move laterally within the network.
Exploitation in the Wild
Ransomware operators, including groups like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, have been observed exploiting this vulnerability in numerous attacks.
These groups have deployed ransomware variants such as Akira and Black Basta to encrypt the file systems of ESXi hypervisors; rendering hosted VMs inoperable and potentially exfiltrating data or moving laterally within the network.
One particularly notable attack involved Storm-0506 deploying Black Basta ransomware. The attackers initially gained access through a Qakbot infection and exploited a Windows vulnerability (CVE-2023-28252) to elevate their privileges.
They then used tools like Cobalt Strike and Pypykatz to steal credentials and move laterally within the network, ultimately creating the “ESX Admins” group and adding a user to it. This led to the encryption of the ESXi file system and the disruption of hosted VMs.
Mitigation and Protection
In response to these findings, VMware has released a security update to address CVE-2024-37085. Microsoft recommends that all organizations using domain-joined ESXi hypervisors apply this update immediately. Additionally, administrators should:
- Validate Group Existence: Ensure the “ESX Admins” group exists and is properly secured.
- Deny Access: Manually deny access to this group or change the administrative group settings in the ESXi hypervisor.
- Credential Hygiene: Protect highly privileged accounts with multifactor authentication (MFA) and isolate privileged accounts from productivity accounts.
- Improve Critical Asset Posture: Identify and secure critical assets like ESXi hypervisors with the latest security updates, monitoring procedures, and backup plans.
To protect against advanced threats, organizations must stay alert, update their systems, and follow strict security practices.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo