Share this article on:
Security researchers warn of hackers taking advantage of CVE-2024-37085, first disclosed by VMware one week ago.
Microsoft’s Threat Intelligence team has warned of several ransomware operators exploiting a newly disclosed bug in VMware’s ESXi hypervisors.
The vulnerability – CVE-2024-37085 – was disclosed by VMware on 25 July and is an authentication bypass issue.
VMware warned at the time that exploitation could lead to a threat actor gaining “full access to an ESXi host”. VMware released several updates and workarounds after Microsoft’s researchers initially discovered the vulnerability.
“VMware has evaluated the severity of this issue to be in the moderate severity range,” VMware said at the time.
However, Microsoft has seen the vulnerability being exploited in the wild, with the capacity to lead to “mass encryption” of vulnerable networks.
The issue is that ESXi hypervisors are “bare metal” installations on a physical server, and they often run a host of critical virtual machines.
“In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function,” the Microsoft Threat Intelligence team said in a 29 July blog post.
“It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”
Microsoft’s researchers have seen ransomware deployments from several well-known gangs, including Akira and Black Basta. The hackers have been able to run a pair of commands to create a group called “ESX Admins” on a target domain and then add a single user to it.
From there, the hackers were able to elevate their privileges to full administrative access on the targeted ESXi hypervisor.
“Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named ‘ESX Admins’ to have full administrative access by default,” Microsoft said.
“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.”
At this point, the ransomware operator can encrypt the hypervisor’s entire file system and exfiltrate data at will.
According to Microsoft, attacks on ESXi hypervisors “have more than doubled in the last three years”.
Scott Caveza, staff research engineer at Tenable, said such an attack could have a crippling effect on a company or organisation.
“These financially motivated groups are quick to encrypt or lock as many hosts as possible, maximising the impact to a victim organisation in hopes of a handsome ransom payment. To deploy ransomware and exfiltrate data, they rely heavily on phishing, credential theft, as well as exploitation of known and exploitable vulnerabilities left unpatched by unsuspecting organisations,” Caveza said.
“This provides a large attack surface; however, it’s important to note that exploitation is very dependent on the host having been configured to use AD for user management.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.