A flaw in VMware’s ESXi, identified as CVE-2024-37085, allows attackers with limited system access to gain full administrative control of the ESXi hypervisor, potentially compromising entire networks.
The vulnerability, which has been under attack for months, has seen exploitation by various ransomware groups, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest.
These cybercriminal groups have used the flaw in post-compromise attacks, exploiting the vulnerability after gaining initial limited access through other means.
This vulnerability grants attackers full administrative control, allowing them to encrypt file systems, disable servers, and access hosted virtual machines. This can lead to data exfiltration or further network infiltration. Microsoft discovered and reported this vulnerability to VMware, leading to a patch issued by Broadcom, VMware’s parent company.
“Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks,” researchers stated.
The researchers emphasised the alarming ease of exploitation of this vulnerability: simply creating a new domain group named ‘ESX Admins’ grants administrative rights to any user assigned to the group without needing authentication.
Creating the ‘ESX Admins’ group can be done with just two commands:
- net group “ESX Admins” /domain /add
- net group “ESX Admins” username /domain /add
This simplicity and the vulnerability’s medium severity rating of 6.8 out of 10 by VMware have drawn criticism from security experts. The issue lies in how ESXi hypervisors, when joined to an Active Directory domain, threaten any domain group member named ‘ESX Admins’ as having full administrative access by default.
One particularly troubling instance involved the Storm-0506 group deploying Black Basta ransomware on an engineering firm in North America. The attackers initially gained access through a Qakbot infection and escalated their privileges by exploiting a Windows vulnerability (CVE-2023-28252).
They then used tools like Cobalt Strike and Pypykatz to steal domain administrator credentials. They moved laterally across the network, ultimately adding a new user to the ‘ESX Admins’ group and encrypting the ESXi file system.
Ransomware groups are targeting ESXi hypervisors because they can mass encrypt data with just a few clicks. Microsoft’s report highlights the limited visibility and protection many security products offer for ESXi, making this vulnerability particularly dangerous.
Researchers have urged administrators responsible for ESXi hypervisors to prioritise patching this vulnerability and investigating any suspicious modifications to the ‘ESX Admins’ group.
In the News: Anthropic continues stealing content using Claudebot
