Microsoft researchers identified a critical vulnerability in ESXi hypervisors that ransomware operators could exploit to gain full administrative permission over the domain-joined hypervisor. ESXi is an advanced bare-metal hypervisor that allows for direct control over the underlying resources. It’s a host for virtual machines, often quite important ones within a network. In case of a ransomware attack, this grants full administrative access to an ESXi hypervisor, where threat actors could encrypt the file system, thus affecting the functionality of the hosted servers. Moreover, threat actors gain access to all hosted VMs, allowing data exfiltration or lateral movement within the network.
The vulnerability, identified as CVE-2024-37085, was created by a default domain group in ESXi hypervisors that gives full administrative access without proper validation. Microsoft has now disclosed this finding to VMware through Coordinated Vulnerability Disclosure via Microsoft Security Vulnerability Research. This led to VMware releasing a security update. Microsoft recommends that ESXi server administrators apply these updates and follow the mitigation and protection guidelines therein.
Vulnerability Analysis and Exploitation Techniques
Microsoft security researchers observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest exploiting this vulnerability. In many cases, these attacks led to deployments of Akira and Black Basta ransomware. The exploitation technique involves running commands to create a group named “ESX Admins” in the domain and adding a user to it:
net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add
This method leverages the vulnerability in domain-joined ESXi hypervisors, allowing attackers to elevate privileges to full administrative access. The vulnerability arises because ESXi hypervisors consider any member of a group named “ESX Admins” to have full administrative access by default, even if the group did not originally exist. This group is not a built-in group in Active Directory and does not exist by default, and the membership is determined by name rather than security identifier (SID).
Researchers identified three exploitation methods:
- Creating the “ESX Admins” Group: This method, actively exploited in the wild, involves creating the “ESX Admins” group and adding a user to it. Any domain user with the ability to create a group can escalate privileges by creating such a group and adding themselves or other users to it.
- Renaming a Group: This method involves renaming any group in the domain to “ESX Admins” and adding a user or using an existing member to escalate privileges. This method has not been observed in the wild by Microsoft.
- Privileges Refresh: Even if the network administrator assigns another group to manage the ESXi hypervisor, the full administrative privileges of the “ESX Admins” group are not immediately removed, allowing threat actors to abuse it. This method also has not been observed in the wild by Microsoft.
Ransomware Operators Targeting ESXi Hypervisors
Over the past year, ransomware actors have increasingly targeted ESXi hypervisors. ESXi hypervisors are popular in corporate networks and are often targeted due to the limited visibility and protection offered by many security products. Encrypting an ESXi hypervisor file system enables one-click mass encryption, impacting hosted VMs and allowing threat actors more time and complexity for lateral movement and credential theft.
Microsoft has observed various ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, supporting or selling ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper. The number of Microsoft Incident Response engagements involving ESXi hypervisor attacks has more than doubled in the last three years.
Black Basta Ransomware Deployment by Storm-0506
This critical hypervisor vulnerability has been exploited in the wild, and to great effect. Earlier this year, an engineering firm in North America was hit by a Black Basta ransomware deployment by Storm-0506. The attack exploited the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors. The threat actor initially accessed the organization via a Qakbot infection, followed by exploiting a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges on affected devices. They used Cobalt Strike and Pypykatz to steal domain administrator credentials and move laterally to domain controllers.
On the compromised domain controllers, the attacker installed persistence mechanisms using custom tools and a SystemBC implant. They attempted to brute force RDP connections and installed Cobalt Strike and SystemBC on multiple devices. The attacker then created the “ESX Admins” group, added a new user, and used this access to encrypt the ESXi file system, affecting the hosted VMs. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint stopped encryption attempts on devices with the unified agent installed.
Mitigation and Protection Guidance
Microsoft advises organizations using domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. Additional recommendations include:
- Install Software Updates: Ensure the latest security updates from VMware are installed on all domain-joined ESXi hypervisors. If updates cannot be installed immediately, validate the “ESX Admins” group exists in the domain and is hardened. Manually deny access to this group in the ESXi hypervisor settings, change the admin group, and add custom detections in XDR/SIEM for new group names.
- Credential Hygiene: Protect highly privileged accounts by enforcing multifactor authentication (MFA), enabling passwordless authentication methods, and isolating privileged accounts from productivity accounts.
- Improve Critical Assets Posture: Identify and protect critical assets such as ESXi hypervisors and vCenters with the latest security updates, proper monitoring procedures, and backup and recovery plans.
- Identify Vulnerable Assets: Deploy authenticated scans of network devices using SNMP via the Microsoft Defender portal to identify vulnerabilities in network devices like ESXi.
Detection and Threat Intelligence
Microsoft Defender for Endpoint and Microsoft Defender for Identity provide alerts that can indicate associated threat activity, such as suspicious modifications to the “ESX Admins” group, suspicious Windows account manipulation, and compromised accounts conducting hands-on-keyboard attacks. Microsoft customers can use reports in Microsoft Defender Threat Intelligence to get up-to-date information about threat actors and techniques. Hunting queries are available for Microsoft Defender XDR and Microsoft Sentinel to detect related activities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact