Several ransomware groups have been exploiting a vulnerability in vSphere ESXi, VMware’s bare metal hypervisor.
The attack was as simple as creating a Microsoft Active Directory (AD) group called “ESX Admins”, which was allowed for users with limited domain-level permissions. Adding users to that group automatically gave them full admin status in a privilege escalation attack.
A VMware by Broadcom advisory published on 25 June said: “A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD.”
Microsoft Threat Intelligence researchers observed ransomware actors using the flaw in the wild. It informed Broadcom, VMware’s parent company, about the issue (tracked as CVE-2024-37085, CVSS score: 6.8) earlier this year, and it has been fixed in the latest version of ESXi.
“Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network,” the Volish researchers wrote in a blog post.
Users are advised to upgrade to the latest version of ESXi version 8.0 Update 3, released 25th June. As a workaround, customers are advised to “change the default esxAdminsGroup from ESX Admins to the domain group that are the administrator.”
The “ESX Admins” group is mentioned as a feature in official VMware documentation back to 2012 and up to vSphere ESXi version 7, so presumably this vulnerability has existed for many years.
According to Microsoft researchers, CVE-2024-37085 has been recently exploited by ransomware groups including Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest “in numerous attacks”, to deliver Black Basta and Akira ransomware.
“Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organisations they target,” they wrote.
