Ransomware Gangs Exploit VMware ESXi Flaw: Is Your Data Safe?

Ransomware gangs are exploiting VMware ESXi authentication bypass (CVE-2024-37085) to gain admin access, steal data, and encrypt systems. Despite high privilege requirements, groups like Black Basta and Akira are actively targeting ESXi hypervisors, leading to major disruptions. Microsoft urges immediate updates to prevent exploitation.

Hot Take:

Ah, VMware ESXi vulnerabilities: the gift that keeps on giving…to ransomware gangs. Just when you thought your hypervisor was safe, here comes CVE-2024-37085 to spice things up. Remember when IT was just about turning it off and on again? Good times.

Key Points:

  • Microsoft warns of ransomware gangs exploiting VMware ESXi authentication bypass vulnerability (CVE-2024-37085).
  • The flaw allows attackers to add a new user to the ‘ESX Admins’ group, granting full admin privileges.
  • Exploitation requires high privileges and user interaction but leads to sensitive data theft and network lateral movement.
  • Ransomware groups like Black Basta and Akira are already using this vulnerability in their attacks.
  • Microsoft Incident Response reports a significant increase in attacks targeting ESXi hypervisors over the past three years.

Oops, They Did It Again

You’d think by now, after the countless headlines about ransomware attacks, we’d have a handle on this. But no, Microsoft just had to drop the bomb that ransomware gangs are actively exploiting a VMware ESXi vulnerability, lovingly known as CVE-2024-37085. Discovered by Microsoft’s own Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto, this medium-severity flaw allows attackers to create a new user in the ‘ESX Admins’ group, effectively giving them the keys to the kingdom. It was patched on June 25 with the release of ESXi 8.0 U3, but clearly, not everyone got the memo.

Admins Gone Wild

The vulnerability is like a buffet for hackers with an appetite for destruction. Broadcom explains that if a malicious actor has sufficient Active Directory (AD) permissions, they can gain full access to an ESXi host that uses AD for user management. How? By re-creating the configured AD group after it’s deleted. It’s like playing a game of cat and mouse, except the cat has a chainsaw. Several ESXi advanced settings are insecure by default, meaning the ‘ESX Admins’ group gets administrative privileges automatically when an ESXi host joins an AD domain. And we know how that story ends—with the hypervisor’s file system encrypted and businesses scrambling to recover their data.

Three’s a Crowd

Microsoft has identified three tactics ransomware gangs use to exploit CVE-2024-37085. First, they simply add the ‘ESX Admins’ group to the domain and add a user. Easy-peasy. Second, they rename any group in the domain to ‘ESX Admins,’ add a user, or use an existing group member. Because why do hard work when you can just rename stuff? Lastly, they refresh ESXi hypervisor privileges, assigning other groups admin privileges without removing them from the ‘ESX Admins’ group. It’s like a bad magic trick where you lose your data instead of a rabbit.

Ransomware Rodeo

And who are the culprits, you ask? Say hello to Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest—ransomware operators who’ve already exploited this vulnerability in the wild. They’ve used it to deploy Akira and Black Basta ransomware, among others. Storm-0506, for example, went straight for the jugular, deploying Black Basta on the ESXi hypervisors of a North American engineering firm. It wasn’t just any old attack; they first gained access via a Qakbot infection, exploited a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges, and then used Cobalt Strike and Pypykatz to steal credentials and move laterally through the network. It’s like watching a high-stakes heist movie, except it’s your data being held hostage.

Hypervisor Hijinks

Targeting ESXi hypervisors isn’t a new trend, but it’s certainly gaining steam. Many enterprises use ESXi VMs to host critical applications and store data, making them juicy targets. Taking down these VMs can cause major outages and disrupt business operations—music to a ransomware gang’s ears. While these groups typically create lockers dedicated to encrypting ESXi VMs, exploiting specific vulnerabilities like CVE-2024-37085 offers a quicker route to access. Even the Play ransomware group has jumped on the bandwagon, deploying an ESXi Linux locker in their attacks.

Microsoft’s Crystal Ball

Microsoft Incident Response has been busy

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here