Image Source: Shutterstock
Ransomware attackers are leveraging CVE-2024-37085 to drop Black Basta, Akira on vulnerable systems, Microsoft says.
Ransomware operators are exploiting an authentication bypass vulnerability in ESXi hypervisors to gain full administrative control of ESXi hypervisors connected to Windows domains.
Adversaries can use the access to encrypt file systems and disrupt all virtual servers on a vulnerable hypervisor, Microsoft said in an advisory this week. The vulnerability also gives hackers a way to access hosted VMs to steal data from them or to move laterally on a compromised network, Microsoft said.
A Two Command Attack Chain
The vulnerability, assigned as CVE-2024-37085, has to do with how VMWare ESXi behaves when the hypervisor is joined to an Active Directory domain. Microsoft researchers discovered that in these configurations, VMware ESXi hypervisors “consider any member of a domain group named “ESX Admins” to have full administrative access by default,” Microsoft said.
So, basically, an adversary with the ability to create a group can elevate privileges to full admin access on the ESXi hypervisor simply by adding a group named “ESX Admins” to the domain and then adding a user to that group. “This group is not a built-in group in Active Directory and does not exist by default.” Microsoft said. “ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.”
The post-compromise technique involves the attacker running the following two commands:
net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add
Quick Take:
Attackers are exploiting a privilege escalation vulnerability in (CVE-2024-37085) in VMware ESXi to drop ransomware.
The flaw impacts ESXi hypervisors that are joined to Windows domains.
The vulnerability allows an attacker with sufficient AD permissions in a domain to create a group where all users have admin privileges by default.
VMware has issued an update for the vulnerability
Ransomware Attackers are Exploiting the Flaw
Microsoft said it had observed multiple ransomware group—including Storm-1175, Storm-0506, Manatee Tempest and Octo Tempest—using the technique in numerous attacks. In several instances, the threat actors have managed to deploy ransomware such as Black Basta and Akira on affected systems, Microsoft said.
Another way that an attacker with local access can exploit CVE-2024-37085 is rename an existing group as “ESX Admins” and then add a user to that group. In this case, the attacker would need to already have the ability to rename arbitrary groups in the domain, Microsoft said. However, no attackers appear to have used this approach yet, at least in the attacks that Microsoft has observed so far.
VMware has released security updates for CVE-2024-37085 and two other vulnerabilities that Microsoft discovered and reported to the company earlier this year. “A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESX Admins’ by default) after it was deleted from AD,” the VMware advisory said.
Both Microsoft and VMware recommend that organizations update their instances to the updated versions as soon as possible.