A vulnerability in the ESXi hypervisor was patched by VMware last week, but Microsoft has revealed that it has already been exploited by ransomware groups to gain administrative permissions.

VMware ESXi is a bare-metal hypervisor that enables the creation and management of virtual machines directly on server hardware, which may include critical servers. CVE-2024-37085 is an authentication bypass vulnerability that allows malicious actors with sufficient permissions to gain full access to a domain-joined ESXi host.

The issue arises when the configured Active Directory group is deleted and recreated, as any user added to a new group named “ESX Admins” will have administrator privileges by default. A domain group can also simply be renamed “ESX Admins,” and any new or existing members will have administrative privileges.

But to exploit CVE-2024-37085, the hacker needs privileged access to the Active Directory environment, which must have been gained through a previously successful cyberattack. The organisation also needs to have joined their ESXi host to the Active Directory for user management purposes, which many do for convenience.

Broadcom, the owner of VMware, released several fixes for affected devices between June 25 and July 25. The vulnerability affects ESXi versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x., but patches were only rolled out for ESXi 8.0 and VMware Cloud Foundation 5.x. It has a relatively low CVSS severity score of 6.8.

However, on July 29, Microsoft’s Threat Intelligence team released a report that claims CVE-2024-37085 has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest, and led to Akira and Black Basta ransomware deployments. Such in-the-wild exploitations were not mentioned in Broadcom’s advisory.

SEE: Black Basta Ransomware Struck More Than 500 Organizations Worldwide

Microsoft said: “In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”

How bad actors exploited CVE-2024-37085

CVE-2024-37085 stems from ESXi hypervisors joined to an Active Directory domain automatically granting full administrative access to any member of a domain group named “ESX Admins.”

Such a group does not exist by default, but cyber criminals can easily create one with the command “net group ‘ESX Admins’ /domain /add.” Membership to this group is also determined by name and not security identifier (SID), so adding a member is trivial too.

“Any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group,” Microsoft researchers wrote.

According to Microsoft, cyber criminals could exploit CVE-2024-37085 by doing one of the following:

  • Creating an Active Directory group named “ESX Admins” and adding a user to it. This is the only technique seen used in the wild.
  • Renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.
  • Leveraging the fact that even if the network administrator assigns another group in the domain to manage the ESXi, members of “ESXi Admins” still retain their admin privileges for a period of time.

Microsoft states that the number of Incident Response engagements involving the targeting and impacting of ESXi hypervisors have more than doubled in the last three years. It suggests that they have become popular targets because many security products have limited visibility and protection for an ESXi hypervisor and that their file systems allow for one-click mass encryption.

A number of ransomware-as-a-service groups have developed ESXi-specific malware since 2021, including Royal, Play, Cheers and TargetCompany.

SEE: Ransomware Cheat Sheet: Everything You Need To Know In 2024

Earlier this year, Storm-0506 attempted to deploy Black Basta ransomware on the system of an unnamed North American engineering firm using the CVE-2024-37085 vulnerability. The group gained Initial access through a Qakbot infection and then exploited a Windows CLFS privilege escalation vulnerability. Next, hackers used the Pypykatz tool to steal the credentials of domain controllers before taking other measures to establish persistent access.

Finally, the group used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors. Microsoft observed that the threat actor created an “ESX Admins” group and added a new user to it before encrypting the ESXi file system and commandeering the virtual machines hosted on the ESXi hypervisor.

Recommendations for VMware ESXi operators

  • Install the latest software updates released by VMWare on all domain-joined ESXi hypervisors.
  • Employ good credential hygiene to prevent threat actors from accessing the privileged account necessary to exploit CV-2024-37085. Use multifactor authentication, passwordless authentication methods and authenticator apps, and isolate privileged accounts from productivity accounts.
  • Identify critical assets, like ESXi hypervisors and vCenters, and ensure they have the latest security updates, proper monitoring procedures and backup and recovery plans.
  • Identify vulnerabilities in network devices by scanning using SNMP and receive security recommendations.

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays