EHA
Home Ransomware Hackers Exploit ESXi Flaw for Devastating Ransomware Attacks

Hackers Exploit ESXi Flaw for Devastating Ransomware Attacks

0

Microsoft researchers identified a vulnerability (CVE-2024-37085) in VMware ESXi hypervisors that grants full administrative privileges to members of a default domain group without proper validation. 

It allows ransomware actors to gain complete control over ESXi hosts, encrypting virtual machines, exfiltrating data, and facilitating lateral network movement. VMware has released a patch, and Microsoft recommends an immediate application to protect against ongoing exploitation by multiple ransomware groups. 

Ransomware groups like Storm-0506 are exploiting CVE-2024-37085, a vulnerability in domain-joined ESXi hypervisors, to escalate privileges to full administrative access. 

By creating a specific domain group and adding users to it, attackers bypass authentication mechanisms, granting them control over the hypervisor, enabling them to deploy ransomware like Akira and Black Basta, and potentially encrypt virtual machines and exfiltrate data. 

VMware ESXi hypervisors grant full administrative privileges to any user belonging to a domain group named “ESX Admins,” a group that does not exist by default. 

The hypervisor fails to validate the group’s existence upon domain joining, allowing attackers to create this group and add members, granting them unrestricted access, which is exacerbated by the hypervisor’s reliance on group names rather than security identifiers for membership determination. 

Three methods have been identified to exploit a vulnerability in ESXi hypervisors, where attackers can create a new “ESX Admins” group and add themselves, gaining full administrative access. 

Alternatively, they can rename an existing group to “ESX Admins” and leverage existing group membership. The first method is actively exploited in the wild, while the second remains theoretical. Both scenarios require domain user privileges with group management capabilities. 

ESXi unauthenticated shell for sale on the dark web

Despite changing the management group for an ESXi hypervisor, members of the “ESX Admins” group retain full administrative privileges, allowing threat actors to exploit this delay and gain complete control over the hypervisor. 

Successful exploitation enables encryption of the hypervisor’s file system, disrupting hosted servers, accessing virtual machines, exfiltrating data, and facilitating lateral network movement. 

Ransomware groups increasingly target ESXi hypervisors due to limited security visibility and the potential for rapid, widespread encryption of virtual machines. 

By exploiting vulnerabilities like CVE-2024-37085, attackers gain administrative privileges, enabling them to encrypt the hypervisor’s file system and compromise hosted virtual machines. 

According to Microsoft, it allows attackers to bypass traditional security measures, escalate privileges, and disrupt critical operations, highlighting the urgent need for robust hypervisor protection strategies. 

 Storm-0506 attack chain

Storm-0506 leveraged a Qakbot infection, exploited a CLFS vulnerability (CVE-2023-28252) for initial access, and stole domain admin credentials using Cobalt Strike and Pypykatz. 

By deploying SystemBC and custom tools on domain controllers, brute-forced RDP was installed, along with additional Cobalt Strike and SystemBC payloads. 

By exploiting CVE-2024-37085, they created the “ESX Admins” group to gain elevated ESXi privileges, encrypting virtual machines and using PsExec for non-ESXi device encryption, where the attackers attempted to evade detection by tampering with Microsoft Defender antivirus. 

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version