A critical vulnerability in the VMware ESXi hypervisor was recently patched, but Microsoft disclosed that malicious actors had already exploited it to gain administrative privileges and potentially deploy ransomware attacks.
VMware ESXi is a type of bare-metal hypervisor that enables the deployment and management of virtual machines directly on physical server hardware, making it suitable for critical systems. A remote code execution vulnerability in vSphere 7.x has been identified as CVE-2024-37085, allowing an attacker with elevated privileges to access and control a domain-joined ESXi host.
When a configured Lively Listing group is deleted and re-created, a potential security risk emerges: any user added to the newly formed “ESX Admins” group gains default administrative privileges, posing a threat to system security. A site group may be simply rebranded as “ESX Admins,” with the potential for newly appointed or existing members to assume administrative roles, granting them access to necessary permissions.
To exploit CVE-2024-37085, an attacker seeks unauthorized access to the Lively Listing setting, having likely obtained this privilege through a preceding successful cyberattack. The organization must also register its ESXi host with vCenter’s Live Listing for centralized management purposes, a common practice that simplifies administration.
Broadcom, the owner of VMware, is urging users of certain devices to update their software by a specific deadline in order to mitigate potential security risks. The vulnerability affects various versions of ESXi, including 7.0 and 8.0, as well as VMware Cloud Foundation versions 4.x and 5.x; although patches were only released for ESXi 8.0 and VMware Cloud Foundation 5.x. The vulnerability’s relatively low CVSS severity rating is 6.8.
Nonetheless, on July 29, Microsoft’s Risk Intelligence team disclosed that the vulnerability identified as CVE-2024-37085 has been exploited by ransomware operators akin to Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, ultimately leading to Akira and Black Basta ransomware attacks. The vulnerabilities weren’t publicly disclosed until after Broadcom’s initial warning was issued.
Microsoft warned that, in the event of a ransomware attack, possessing unrestricted administrator access to an ESXi host enables hackers to encrypt the file system, thereby compromising the ability of dependent servers to operate effectively. The attacker is also granted access to hosted virtual machines, potentially enabling them to extract sensitive information or move laterally within the network.
How unhealthy actors exploited CVE-2024-37085
A critical vulnerability has been identified as CVE-2024-37085, affecting ESXi hypervisors that join an Active Directory domain. Specifically, when these hypervisors are part of a domain, membership in the “ESX Admins” group is automatically granted full administrative access to any member of that group.
While an ESXi cluster does not come with a “ESX Admins” group, malicious actors can create one using the command “web group ‘ESX Admins’ /area /add.” The membership of this group is determined by a unique identifier, the security ID (SID), making it straightforward to add new members.
Microsoft researchers revealed that any domain-joined ESXi hypervisor user with the ability to create a new group can elevate privileges to full administrative access, achieving this by simply adding themselves or other authorized users to the newly created group.
Cybercriminals may potentially exploit the vulnerability identified as CVE-2024-37085, leveraging various tactics such as:
- Joining the ESX Admins listing group with a new member? One widely observed approach exists in nature.
- Renaming any existing group within the designated area to ‘ESX Admins’ and adding a new consumer or designating an existing group member as the administrator.
- Despite being reassigned by the community administrator, “ESXi Admins” members still maintain their administrative privileges temporarily.
According to Microsoft, incident response engagements targeting and affecting ESXi virtualization platforms have more than quadrupled over the past three years. As a result, the ESXi hypervisor’s standard targets have evolved due to the limited visibility and security offered by various safety products, allowing one-click mass encryption via their file systems.
Ransomware-as-a-service teams have been increasingly active in developing ESXi-specific malware since 2021, alongside other notable variants.
In December, cybercriminals affiliated with the Storm-0506 group attempted to deploy the Black Basta ransomware on a North American engineering firm’s systems by exploiting the recently disclosed CVE-2024-37085 vulnerability. The group initially obtained preliminary entry through a Qakbot infection, and subsequently leveraged a Windows CLFS privilege escalation flaw to escalate their privileges. Following this incident, hackers leveraged the Pypykatz device to pilfer credentials from area controllers before exploiting additional vulnerabilities to maintain a lasting foothold.
Ultimately, the group exploited the CVE-2024-37085 vulnerability to gain escalated privileges on the ESXi hypervisors. Microsoft detected the malicious actor’s activity, which involved creating an “ESX Admins” group and subsequently adding a new user before encrypting the ESXi file system and seizing control of the virtual machines hosted on the ESXi hypervisor.
Suggestions for VMware ESXi operators
- Configure automatic software program updates for all domain-joined VMware ESXi hypervisors to ensure seamless deployment of the latest features and security patches from the VMWare platform.
- To preclude malicious actors from leveraging a privileged account necessary for exploiting vulnerability CVE-2024-37085, it is crucial to adhere to robust credential hygiene practices. Implement a robust security protocol by utilizing multifactor authentication, eliminating passwords altogether through passwordless authentication strategies, and leveraging authenticator apps to ensure seamless login processes. Additionally, isolate privileged accounts from productivity accounts to prevent unauthorized access and safeguard sensitive information.
- Ensure that crucial assets such as ESXi hypervisors and vCenters are equipped with the most recent security patches, fostering a robust foundation for incident response. Additionally, implement vigilant monitoring protocols and develop comprehensive backup and disaster recovery strategies to safeguard against potential data loss or system downtime.
- Identify potential weaknesses in community devices through SNMP scanning and provide actionable security recommendations.
