FacebookTwitterLinkedIn

Ransomware Gangs Exploit VMware ESXi Vulnerability

According to a recent report by Microsoft Threat Intelligence, researchers discovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.

In practice, these hypervisors are installed on server hardware, which further enables the installation of virtual machines using server resources.

Ransomware Gangs Exploit VMware ESXi Vulnerability

ESXi hypervisors have proved to be a valuable target for ransomware operators, as having full administrative permission on an ESXi hypervisor means that the threat actor can encrypt the file system.

This can deny access to the hosted server's resources to run and function. Further, the ransomware operator could create their own virtual machines to assist in data exfiltration operations.

The vulnerability in question is CVE-2024-37085, and it has been patched. Administrators are advised to ensure VMWare packages are updated. When exploited, a domain group that grants full administrative access to the ESXi hypervisor by default without proper validation can be created.

Researchers discovered three ways ransomware operators had exploited the vulnerability. These methods are described as follows:

  1. Adding the "ESX Admins" group to the domain and adding a user to it – This method is actively exploited by the abovementioned threat actors in the wild. In this method, if the "ESX Admins" group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group and then adding themselves or other users in their control to it.
  2. Renaming any group in the domain to "ESX Admins" and adding a user to the group or using an existing group member – This method is similar to the first, but in this case, the threat actor needs a user that can rename some arbitrary groups and rename one of them to "ESX Admins." The threat actor can then add a user or use a user that already exists in the group to escalate privileges to full administrative access. Microsoft did not observe this method in the wild.
  3. ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the entire administrative privileges to members of the "ESX Admins" group are not immediately removed, and threat actors could still abuse them. Microsoft did not observe this method in the wild.

Black Basta Deployment

One of the ransomware gangs seen exploiting the abovementioned vulnerability is Black Basta. Security researchers discovered a North American engineering firm suffered a Black Basta infection, put into motion by one of the gang's affiliates, tracked by Microsoft as Storm-0506.

The threat actor used Qakbot to gain initial access, then used Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal two domain administrators' credentials and move to four domain controllers laterally.

In exploiting the ESXi vulnerability, the threat actor created the "ESX Admins" group in the domain and added a new user account to it; following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.

The actor was also observed using PsExec to encrypt devices that were not hosted on the ESXi hypervisor. Fortunately, in this instance, Windows Defender was able to prevent encryption attempts, but other targets may not be so lucky.

Microsoft has also observed other threat actors, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, all known ransomware affiliates. Ransomware strains seen being deployed once the ESXi hypervisor is compromised are Black Basta, Akira, Babuk, LockBit, and Kuiper.

As to why threat actors are targeting ESXi hypervisors, Microsoft Threat Intelligence notes:

  • Many security products have limited visibility and protection for an ESXi hypervisor.
  • Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted. This could give ransomware operators more time and complexity in lateral movement and credential theft on each device they access.

Another factor is that enterprise networks use ESXi and virtual machines extensively, making them a target for threat actors who specifically target corporate and enterprise infrastructure.

In mitigating the threat posed by threat actors exploiting the abovementioned vulnerability, researchers advise the following:

Install software updates – Make sure to install VMware's latest security updates on all domain-joined ESXi hypervisors.

Credential hygiene – To utilize the different vulnerability methods, threat actors require control of a highly privileged user in the organization. This can be done in several ways, including enforcing Multi-factor Authentication (MFA), passwordless authentication, and isolating privileged accounts.

Improve critical asset posture – Identify your critical assets in the network, such as ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and ensure they are protected with the latest security updates, proper monitoring procedures, and backup and recovery plans.

Identify vulnerable assets – Deploy authenticated scans of network devices using security software solutions to identify vulnerabilities in network devices such as ESXi and receive security recommendations.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal