Microsoft warns ransomware groups exploiting VMware ESXi flaw CVE-2024-37085
Take action: If you are using VMware ESXi or VMware Cloud Foundation, update to the latest versions. If you are running unsupported versions (ESXi 7.0 and VMware Cloud Foundation 4.x) upgrade to newer versions. It doesn't matter if your VMware is inside a trusted network, this attack first compromises a user via another vector and then attacks the internal VMware system. Obviously, patching of edge systems, phishing awareness and antimalware are essential.
Learn More
Microsoft has issued a warning that ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability in ongoing attacks.
The flaw, tracked as CVE-2024-37085 (CVSS score of 6.8) was addressed the issue with the release of ESXi 8.0 U3 on June 25, 2024.
This vulnerability allows attackers to add a new user to an 'ESX Admins' group they create, which automatically grants full administrative privileges on the ESXi hypervisor. Exploiting this flaw requires high privileges on the target device and user interaction. Attackers with sufficient Active Directory (AD) permissions can recreate a configured AD group ('ESXi Admins' by default) after it was deleted, gaining full access to an ESXi host. This permits ransomware operators to steal sensitive data, move laterally through networks, and encrypt the ESXi hypervisor's file system.
Microsoft has identified three tactics to exploit CVE-2024-37085:
- Adding the "ESX Admins" group to the domain and including a user.
- Renaming any group in the domain to "ESX Admins" and adding a user to this group or using an existing group member.
- Refreshing ESXi hypervisor privileges, ensuring that admin privileges remain with the 'ESX Admins' group despite reassignments.
This vulnerability has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, resulting in Akira and Black Basta ransomware deployments. For example, Storm-0506 exploited this flaw to deploy Black Basta ransomware on the ESXi hypervisors of a North American engineering firm. The threat actor initially gained access via a Qakbot infection and exploited a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges.
Ransomware groups increasingly target ESXi hypervisors due to their critical role in hosting applications and data. Disabling ESXi virtual machines (VMs) can cause significant outages and disrupt business operations, making them a lucrative target for ransomware operators.
Users are urged to apply the latest patches released by VMware for ESXi 8.0 and VMware Cloud Foundation 5.x. Users of unsupported versions (ESXi 7.0 and VMware Cloud Foundation 4.x) should upgrade to newer versions to receive security updates and support.
Enhanced monitoring of AD group configurations and ESXi settings is recommended to detect any unauthorized changes.
