The BlackByte ransomware group was observed exploiting a recent authentication bypass vulnerability in VMware ESXi, a technique that departs from the group’s established tradecraft.
Researchers at the Cisco Talos Incident Response team said in an Aug. 28 blog post that BlackByte — believed to be an offshoot of the Conti ransomware gang — tended to use vulnerable drivers to bypass security controls, including the deployment of self-propagating ransomware with worm-like features, as well as using “known-good” system binaries and other legitimate commercial tools.
What’s different here, explained Austin Berglas, global head of professional services at BlueVoyant, was that the exploited bug — CVE-2024-37085 — was a shift from attacking known vulnerabilities to targeting a new vulnerability, one that was placed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as recent as July 30.
"The exploitation of CVE-2024-37085 may be a shift from normal attack strategies which have included phishing and distribution of malware, brute force attacks, and credential stuffing,” said Berglas. “Although exploitation of known vulnerabilities has always been part of these groups' common toolkit, the exploitation of the authentication bypass vulnerability in VMware requires greater persistence than previously seen.”
Berglas said typically organizations will gain "initial access" and sell this access to their affiliates for further exploitation. This attack goes deeper and looks to gain footholds, move laterally, and escalate privileges, eventually obtaining administrative access.
“This is more akin to APT-type attacks,” said Berglas. “By pivoting from established methods to exploiting the new CVE-2024-37085 vulnerability in VMware ESXi, the e-crime group is adapting its tactics to take advantage of a newly discovered weakness, potentially making their attacks more effective and harder to predict or defend against.”
Callie Guenther, senior manager of cyber threat research at Critical Start, added that BlackByte and similar groups have frequently relied on exploiting known vulnerabilities in widely used software or leverage phishing campaigns and brute-force attacks to gain access.
Guenther, an SC Media columnist, said the groups previously used web shells, Cobalt Strike, and credential-stealing tools like Mimikatz to move laterally across networks and escalate privileges within compromised environments.
“This shift shows that they are willing to adopt cutting-edge methods to improve the effectiveness of their attacks,” said Guenther. “VMware ESXi hypervisors are critical in many enterprise environments, often hosting multiple virtual machines that run vital business applications. Targeting such infrastructure allows the attackers to cause significant disruption, increasing the pressure on victims to pay the ransom.”
