A critical flaw in the VMware ESXi hypervisor is being exploited in the wild by ransomware groups, according to research from Microsoft, less than a week after VMWare issued a patch to address the issue.
The vulnerability, discovered by researchers at Microsoft, was introduced with the release of a new patch ESXi 8.0 U3. After being notified, VMware’s parent company Broadcom issued an advisory acknowledging the bug.
CVE-2024-37085, designated as a 6.8 on the CVSS, is an authentication bypass vulnerability which if successfully exploited would allow an attacker to obtain full administrative permissions on domain-joined ESXi hypervisors, Microsoft warned.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESX Admins' by default) after it was deleted from AD,” Broadcom’s advisory outlined.
With full administrative access to the ESXi hypervisors, the hacker could then encrypt the file system of the hypervisor, inhibiting the functionality of any hosted servers.
Microsoft researchers added that the threat actor would also be able to access any hosted virtual machines (VM) and potentially exfiltrate data or move laterally within the network.
Scott Caveza, staff research engineer at Tenable, cautioned that although its CVSS rating was moderate, successful exploitation of the flaw could be “catastrophic” for businesses.
"While the security advisory for CVE-2024-37085 provided a moderate severity rating, a CVSSv3 score of 6.8 and Tenable Vulnerability Prioritization rating of medium, successful exploitation can be catastrophic for impacted organizations.”
Microsoft outlines a variety of methods attackers can use to compromise VMware ESXI hosts
Microsoft detailed three possible methods to exploit CVE-2024-37085, the first of which involves adding the ‘ESX Admins’ group to the domain and adding a user to it.
“In this method, if the ‘ESX Admins’ group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.”
The second method builds on the first, but requires access to a user with the ability to rename one of the groups to ‘ESX Admins’, allowing them to add a pre-existing user to the group, which immediately escalates their privileges to full access.
Finally, Microsoft added that even if the network administrator assigns a different group to manage the ESXi hypervisor, the full administrative privileges to members of the ‘ESXi Admins’ are not removed, but this approach was not observed in the wild during its research.
Caveza noted that the analysis from Microsoft indicates once the initial exploit is completed, the variety of attack paths available to the attacker are all relatively easy to take advantage of.
Thankfully, however, he said successful exploitation is dependent on the host having been configured to use an active directory for user management, which poses something of a barrier to entry for the attacker.
“While the complexity is low, an attacker first needs elevated privileges in order to modify the active directory (AD) configuration on the affected host… Despite this significant barrier to entry, we cannot underestimate ransomware groups' abilities and determination to escalate privileges and advance their attack path once they obtain initial access,” he explained
“While a medium severity vulnerability may be a lower priority for patching, this is another example of how attackers will seek out and exploit any unpatched vulnerability they can, often chaining together multiple vulnerabilities in their quest for complete takeover of a breached network."
ESXi hypervisors a “favored target for threat actors”
Microsoft’s report highlighted previous evidence of ransomware operators targeting ESXi hypervisors, noting the popularity of the product in corporate networks has made it a “favored target for threat actors’.
Hypervisors like these are convenient targets for attackers who want to evade detection by security operations centers (SOCs), Microsoft stated, as many security products have limited visibility and protection for an ESXi hypervisor.
Moreover, an EXSi hypervisor allows for the mass encryption of the entire file system with one click, leaving them with more time to focus on lateral movement or credential theft once they are inside the network.
These reasons make them juicy targets for threat actors, the report explained, stating that the number of Microsoft incident response engagements involving ESXi hypervisors has more than doubled in the last three years.
RELATED WHITEPAPER
This popularity is reflected by the number of groups which support or sell ESXi encryptors such as Akira or Black Basta, including Storm-0506, Storm-1175, Scattered Spider, and EvilCorp.
To mitigate the threats posed by this flaw, the report recommended any organization that uses domain-joined ESXi hypervisors to apply VMware’s security update as soon as possible, evaluate their credential hygiene to prevent hackers from the privileges they would need to exploit the vulnerability.
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
