Microsoft security teams have flagged that various ransomware operators are leveraging a flaw in VMware’s ESXi, cataloged as CVE-2024-37085, to achieve unauthorized management-level access. By utilizing this exploit, attackers can enroll a new user into the ‘ESX Admins’ group, thereby gaining comprehensive control over the ESXi hypervisor.
Technical Analysis of the Vulnerability
Microsoft researchers Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto, found the vulnerability and it was addressed with the ESXi 8.0 U3 update released on June 25. The oversight, which carries a CVSS 3.1 base score of 6.8, permits individuals with adequate Active Directory (AD) credentials to reinstate the ‘ESX Admins’ group after its deletion, allowing them full administrative oversight on an ESXi host using AD for its user management.
Groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been reported to exploit this specific vulnerability. For example, Storm-0506 utilized the flaw to install Black Basta ransomware on the ESXi hypervisors of a North American engineering company. The incursion began with access through a Qakbot malware infection, followed by privilege escalation via a Windows CLFS vulnerability (CVE-2023-28252).
Impact on Business Operations
Due to the potential for significant operational disruptions, ransomware groups have increasingly targeted ESXi hypervisors. Encrypting the files and backups on these platforms can lead to operational standstills with few recovery routes. Microsoft has highlighted three exploitation methods for CVE-2024-37085: adding the ‘ESX Admins’ group to the domain and inserting a user, renaming any domain group to ‘ESX Admins’ and adding a user, or employing an existing group member’s credentials to update ESXi hypervisor permissions.
VMware has acknowledged the flaw and issued advisory notes for users to mitigate the associated risks. Users should follow the recommended security measures provided by VMware to protect their systems. The ransomware group known as Play has also recently used an ESXi Linux locker as part of their campaigns, indicating a growing trend in similar attacks. Microsoft reports that these kinds of attacks on ESXi hypervisors have increased significantly over the past three years.
Last Updated on November 7, 2024 3:28 pm CET