Microsoft researchers unveiled a critical vulnerability in VMware's ESXi hypervisors that multiple ransomware operators are actively exploiting.
The flaw, identified as CVE-2024-37085, allows threat actors to gain full administrative access to domain-joined ESXi hypervisors, potentially leading to widespread encryption of virtual machines and data exfiltration.
ESXi, a bare-metal hypervisor installed directly onto physical servers, is widely used in corporate networks to host critical virtual machines.
The vulnerability stems from a default configuration that grants full administrative permissions to members of a domain group named "ESX Admins" without proper validation. Alarmingly, this group does not exist by default in Active Directory, allowing attackers to create it and exploit the flaw.
Microsoft's Threat Intelligence team observed several high-profile ransomware groups, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, leveraging this vulnerability in their attacks.
These intrusions have resulted in deployments of notorious ransomware strains such as Akira and Black Basta. The researchers identified three methods for exploiting the vulnerability:
- Creating the "ESX Admins" group and adding a compromised user to it.
- Renaming an existing domain group to "ESX Admins."
- Exploiting the persistence of privileges even after administrative changes.
According to Microsoft, a successful attack grants the threat actor full control over the ESXi hypervisors, enabling them to encrypt file systems, disrupt hosted servers, access virtual machines, and potentially move laterally within the network.
The blog post detailed a specific attack by the Storm-0506 group, which deployed Black Basta ransomware against an engineering firm in North America.
The threat actors initially gained access through a Qakbot infection, followed by privilege escalation using a Windows CLFS vulnerability (CVE-2023-28252). They then employed various tools, including Cobalt Strike and Pypykatz, to steal domain administrator credentials and move laterally within the network.
Microsoft has observed a significant increase in attacks targeting ESXi hypervisors, with incident response engagements involving these systems more than doubling in the past three years. The researchers attribute this trend to the limited visibility of many security products in ESXi environments and the potential for "one-click mass encryption" of hosted virtual machines.
To mitigate the risk, Microsoft strongly recommends that organizations using domain-joined ESXi hypervisors apply the security update released by VMware to address CVE-2024-37085.
Additional protective measures include:
- Validating and hardening the "ESX Admins" group if it exists in the domain.
- Manually denying access to this group in the ESXi hypervisor settings.
- Changing the admin group to a different group in the ESXi hypervisor.
- Implementing custom detections for new group names in XDR/SIEM systems.
- Configuring ESXi logs to be sent to an SIEM system for monitoring.
Microsoft has released several detection capabilities for Microsoft Defender XDR, including alerts for suspicious modifications to the ESX Admins group and new group additions. The company has also provided hunting queries to help organizations identify related activity in their networks.