1.0 Introduction
Recently, Microsoft researchers uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors particularly through the vulnerability CVE-2024-37085. This CVE-2024-37085 – Vmware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXI host that was previously configured to use AD for user management. These vulnerabilities grant unauthorized full administrative permissions, enabling threat actors to execute mass encryption attacks on virtual machines hosted on ESXi servers. Notable groups, including Strom-0506 and Black Basta, are actively exploiting these weaknesses, resulting in significant disruption and potential data breaches for organizations globally.
2.0 Impact
Having a full administrative permission on an ESXi hypervisor, the threat actor can encrypt the file systems, which may affect the ability of the hosted server to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.
3.0 Affected System
VMware ESXi versions are vulnerable to CVE-2024-37085.
- VMware ESXi versions prior to 7.0.
- VMware ESXi versions prior to 8.0.
- VMware Cloud Foundation versions prior to 5.x.
- VMware Cloud Foundation versions prior to 4.x.
Systems running these unpatched VMware ESXi installations are susceptible to this authentication bypass vulnerability.
4.0 Indicators of Compromise (IOCs)
Unexpected changes in Active Directory group memberships, specifically the re-creation of the ‘ESXi Admins’ group. The technique includes running the following commands, which results in the creation of a group name “
ESX Admins
” in the domain and adding a user to it:
- net group “ESX Admins” /domain/add
- net group “ESX Admins” username /domain /add
5.0 Technical Details
CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi that can be exploited if a malicious actor has sufficient Active Directory (AD) permissions. This vulnerability allows attackers to gain full administrative access to ESXi hypervisors configured to use AD for user management. The exploitation primarily involves re-creating the "ESX Admins" group after it has been deleted from AD and adding malicious users to this group.
Microsoft researchers observed ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, leveraging this vulnerability post-compromise. In several cases, the use of this techniques has led to Akira and Black Basta ransomware deployments. The exploitation often involves creating a domain group named "ESX Admins" and adding users to this group to gain escalated privileges. Here are the key methods identified for exploitation:
- Creating "ESX Admins" Group : If the "ESX Admins" group doesn't exist, any domain user with group creation rights can create this group and add themselves or other controlled users, gaining full administrative access to domain-joined ESXi hypervisors.
- Renaming Existing Groups : An attacker with permissions to rename groups can rename an arbitrary group to "ESX Admins" and then add users to this group or leverage existing group members to escalate privileges.
- Privileges Refresh : Even if a network administrator assigns another group for managing the ESXi hypervisor, the "ESX Admins" group's full administrative privileges may not be immediately removed, allowing attackers to abuse this group for some time.
Figure 1: Storm-0506 ESXi attack chain
5.1 Observed Commands and Attack Techniques
- Creating and Adding to "ESX Admins" Group :
Figure 2: Command to create and add “ESX Admins”
6.0 Recommendation
CyberSecurity Malaysia encourages users and administrators to review the
security updates released by VMware
on all domain-joined ESXi hypervisors and apply the necessary updates.
Kindly refer to the following URL: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
Generally, we advise users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 Incident Response Centre through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web:
https://www.mycert.org.my
7.0 References
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
- https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
- https://securityaffairs.com/166295/cyber-crime/ransomware-gangs-exploit-cve-2024-37085-vmware-esxi.html
- https://thehackernews.com/2024/07/vmware-esxi-flaw-exploited-by.html
- https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited/