30 July 2024

Cybercriminals exploit recently patched VMware ESXi flaw to deploy ransomware


Cybercriminals exploit recently patched VMware ESXi flaw to deploy ransomware

A recently patched vulnerability in VMware ESXi hypervisors is being actively exploited by threat actors to gain access to target networks and deploy ransomware, a new report from Microsoft reveals.

The flaw (CVE-2024-37085) allows attackers to obtain full administrative permissions on domain-joined ESXi hypervisors.

ESXi is a bare-metal hypervisor installed directly onto a physical server, providing direct access and control over the underlying resources. Its widespread use in corporate environments makes it a prime target for cybercriminals. The hypervisors host virtual machines (VMs) that often include critical servers within a network.

In a ransomware attack, gaining full administrative access to an ESXi hypervisor can enable attackers to encrypt the hypervisor’s file system, and disrupt the hosted servers' functionality. Furthermore, attackers can access VMs, exfiltrate data, or move laterally across the network.

Microsoft’s security researchers discovered the flaw while investigating a new post-compromise technique used by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. This technique has led to several ransomware deployments, including Akira and Black Basta.

Attackers utilize specific commands to create a group named “ESX Admins” in the domain and add a user to it. The ESXi hypervisors, when joined to an Active Directory domain, recognize any member of the “ESX Admins” group as having full administrative rights by default. This group is not built-in and does not exist by default, and ESXi hypervisors do not validate its existence. Consequently, any member of a group named “ESX Admins” gains full administrative access, irrespective of its origin or security identifier (SID), Microsoft explained.

The researchers identified three primary methods for exploiting the vulnerability: creating and adding to “ESX Admins” group, renaming an existing group, and refreshing ESXi hypervisor privileges.

In one instance, an engineering firm in North America was targeted by the Storm-0506 threat actor, who deployed Black Basta ransomware. The attackers exploited the CVE-2024-37085 vulnerability to gain elevated privileges on the firm's ESXi hypervisors. They initially accessed the organization via a Qakbot infection and leveraged the CVE-2023-28252 Windows CLFS vulnerability to escalate privileges on compromised devices.

Using Cobalt Strike and Pypykatz, the attackers stole credentials from two domain administrators and moved laterally to four domain controllers. On these domain controllers, they established persistence with custom tools and a SystemBC implant.

Additionally, they attempted to brute-force Remote Desktop Protocol (RDP) connections for further lateral movement, installing Cobalt Strike and SystemBC on additional devices. To evade detection, the attackers tampered with Microsoft Defender Antivirus using various tools.


Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024