Microsoft: Ransomware gangs exploiting VMware ESXi flaw

Microsoft warned that multiple ransomware gangs, including Black Basta, are exploiting a VMware ESXi vulnerability that could allow attackers to gain full administrative permissions on an affected machine.

In a blog post published on Monday, Microsoft detailed the VMware ESXi medium severity authentication bypass vulnerability tracked as CVE-2024-37085 and confirmed that it's under active exploitation by ransomware gangs. Microsoft credited its researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan and Vaibhav Deshmukh for discovering the vulnerability.

Exploitation could allow attackers with Windows Active Directory permissions to gain full access to an ESXi hypervisor host. Microsoft warned that attacks could affect critical network servers.

Microsoft researchers observed several ransomware operators, including ones it tracks as Storm-0506, Storm-1175 and Octo Tempes, leveraging the flaw to deploy Black Basta and Akira ransomware.

"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," Microsoft wrote in the blog.

Researchers discovered the flaw while investigating "numerous attacks" conducted by ransomware operators Microsoft tracks as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest that involved ESXi hypervisor. Attack analysis revealed the threat actors leveraged an ESXi vulnerability to elevate their privileges to full administrative access on the ESXi hypervisor.

"Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named 'ESX Admins' to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default," the blog read.

The researchers then discovered three ways attackers could exploit CVE-2024-37085. Microsoft warned that the first method, which involves adding the ESX admins group and a user to the domain, is currently the only one being actively exploited by the ransomware groups.

Researchers reported the flaws to VMware earlier this year, according to the blog.

"ESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors become a favored target for threat actors," the blog read.

Microsoft added that ESXi is a popular target for attackers because hypervisors have limited security product options and pose visibility challenges for security operations center teams.

Microsoft stressed that its incident response engagements involving ESXi hypervisors more than doubled over the last three years. It's particularly dangerous when ransomware is involved.

Last year, Mandiant warned that a Chinese advanced persistent threat group it tracks as UNC3886 was exploiting a ESXi zero-day vulnerabiity. Just prior to that, attackers exploited a two-year-old ESXi vulnerability in a widespread ransomware campaign dubbed ESXiArgs. The attacks highlighted enterprises' hypervisor patching struggles, which could pose a problem with CVE-2024-37085.

Microsoft said it observed Storm-0506 deploy Black Basta ransomware then exploit CVE-2024-37085 against an unnamed engineering firm earlier this year. The full attack scope and patching rates remain unknown.

"Microsoft observed that the threat actor created the 'ESX Admins' group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor," the blog read.

In addition to applying VMware's fix for CVE-2024-37085, Microsoft recommended that enterprises implement MFA, isolate privileged accounts from productivity accounts and improve critical assets posture.

TechTarget Editorial contacted Broadcom regarding the attack scope and patching rates. Broadcom provided the following statement:

On July 29, 2024, Microsoft reported on the use of a known vulnerability in VMware ESXi by ransomware actors who had obtained access to a victim's network through unrelated means. This medium-severity ESXi vulnerability, cataloged as CVE-2024-37085, was discovered by Microsoft earlier this year and responsibly reported to Broadcom. We promptly fixed the issue in a software update to ESXi 8.x and published a security advisory that explained how to change settings in earlier versions of ESXi to mitigate the threat. Customers who have not yet updated ESXi or followed the published guidance are vulnerable to this authentication-bypass risk once a malicious actor has obtained unauthorized Active Directory privileges. For more information on Broadcom's recommendations for VMware product hardening, please visit the VMware Cloud Foundation Security Enablement website.

Microsoft provided the following statement to TechTarget Editorial:

Ransomware poses a major, high-severity threat being leveraged by threat actors across the landscape. Organizations should be aware that exploiting this vulnerability could lead to ransomware attacks or other malicious activities.

Microsoft frequently collaborates with other software vendors and partners to ensure coordinated responsible disclosure. VMWare is one of those partners, and this vulnerability was responsibly disclosed, coordinated and finally released and assigned a CVE ID in June 2024.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.