Ransomware Gangs Actively Exploiting VMware ESXi Auth Bypass Vulnerability: Microsoft Warns

July 29, 2024

Microsoft has warned that ransomware gangs are actively exploiting a vulnerability in VMware ESXi's authentication system. The flaw, known as CVE-2024-37085, was discovered by Microsoft security researchers and addressed with the release of ESXi 8.0 U3 on June 25. The vulnerability allows attackers to create a new user in an 'ESX Admins' group they create, which automatically grants full administrative privileges on the ESXi hypervisor.

This vulnerability, while requiring high privileges on the target device and user interaction, is being exploited by ransomware gangs to gain full admin privileges on domain-joined hypervisors. This allows them to access sensitive data stored on the hosted virtual machines (VMs), move laterally through the victims' networks, and encrypt the ESXi hypervisor's file system. Microsoft has identified at least three tactics that could be used to exploit this vulnerability.

The vulnerability has been exploited in the wild by ransomware operators known as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. These attacks have resulted in the deployment of Akira and Black Basta ransomware. For example, Storm-0506 deployed Black Basta ransomware on the ESXi hypervisors of a North American engineering firm by exploiting the CVE-2024-37085 flaw.

The threat actor initially gained access to the organization via a Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz to steal the credentials of two domain administrators and move laterally to four domain controllers.

There has been an increasing trend of targeting an organization's ESXi hypervisors over the years. Ransomware groups have focused on ESXi VMs as many enterprises use them to host critical applications and store data due to their efficient resource handling. This is because taking down ESXi VMs can cause major outages and disrupt business operations while encrypting files and backups stored on the hypervisor, severely limiting victims' options to recover their data. However, ransomware groups have focused on creating lockers dedicated to encrypting ESXi VMs rather than targeting specific ESXi vulnerabilities that would provide them a quicker way of acquiring and maintaining access to a victim's hypervisors. The Play ransomware group is the latest such operation to start deploying an ESXi Linux locker in their attacks.

Microsoft has warned that the number of Microsoft Incident Response engagements involving the targeting and impacting of ESXi hypervisors has more than doubled in the last three years.

Related News

• Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver
• Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
• Microsoft Patches Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

Latest News

• Massive 'PKFail' Secure Boot Bypass Threatens Millions of Devices
• Acronis Alerts Users on Cyber Infrastructure Default Password Exploitation
• High-Severity DoS Vulnerabilities in BIND Software Suite Addressed by ISC
• Exploitation of Critical ServiceNow Flaws for Data Theft: A Rising Concern
• North Korean Cyber Group Andariel Targets US Critical Infrastructure