A vulnerability in VMware ESXi hypervisors was found being exploited by several ransomware operators, including Akira and Black Basta, with an aim to obtain full administrative permissions via Active Directory (AD), according to Microsoft Threat Intelligence.
In a July 29 blog post, Microsoft researchers said during a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also lets the threat actor access hosted VMs and potentially exfiltrate data or move laterally within the network.
The vulnerability — CVE-2024-37085 — gives a domain group full administrative access to the ESXi hypervisor by default without proper validation. Microsoft reported the flaw to VMware, which has issued a patch.
Broadcom, which now owns VMware, pointed out in its advisory that “a malicious actor with sufficient AD permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group — ESXi Admins — by default after it was previously deleted from AD.”
Despite the laudable actions by VMware and Microsoft, this was the third time in as many weeks that security teams were dealing with VMware ESXi issues. Last week, a string of attacks on VMware ESXi servers were launched by the Play ransomware group, best known for its double-extortion tactics. And the week before last, it was reported that numerous organizations had their VMware ESXi servers persistently targeted by the SEXi ransomware operation for at least the past month under the APT INC banner.
“This is just the latest in a string of VMware vulnerabilities,” said Ashley Leonard, founder and CEO, Syxsense. “Microsoft notes that engagements impacting ESXi hypervisors have more than doubled in the last three years, and this specific vulnerability has led to the deployment of Black Basta and Akira ransomware in the wild, so I'd encourage enterprises hosting critical applications using ESXi VMs to take caution and patch immediately.”
Leonard said while this sounds easy enough in practice, security teams are overwhelmed by the increasing number of CVEs and patches needed to keep their organizations secure. While this flaw was designated as a medium-security, Leonard said that shouldn't lull teams into a false sense of security.
“A medium-security flaw becomes critical when it is targeting you, so a sound patch management strategy is a must,” said Leonard.
Jason Soroko, senior vice president of product at Sectigo, added that CVE-2024-37085 is a critical threat to AD and VMware ESXi. An attacker with AD permissions can re-create the "ESXi Admins" group, gaining full control of ESXi hosts, explained Soroko.
“This can lead to unauthorized access, data breaches, and service disruptions,” said Soroko. “Immediate patching, strict AD group management, and enhanced monitoring are essential to prevent exploitation and protect enterprise systems.”
Damir J. Bescic, chief information security officer at Inversion6, offered these five tips for security teams looking to mitigate these VMware issues:
- Implement network segmentation: It can limit the spread of ransomware and any other malicious payloads, reducing the overall impact in having an attack, thus reducing the blast radius.
- Use strong authentication mechanisms: Multifactor authentication at this point is a must, and can help prevent unauthorized access to the ESXi servers.
- Deploy regular backups: Helps organizations in their recovery process from a ransomware attack, reducing the overall impact of the attack and minimizing the overall downtime.
- Monitor network traffic: Regularly monitor network traffic for suspicious activity/indicators of compromise.
- Develop a recovery strategy: Overall, having a strong mitigation strategy as well as a recovery strategy will help when it comes to any type of ransomware resiliency planning.
