A vulnerability discovered by Microsoft in VMware’s ESXi hypervisor allowed hackers to gain full control of these systems. They encrypted files and gain far-reaching access to all VMs running on such bare-metal hypervisors. They even managed to take servers down completely.
Microsoft researchers write that the vulnerability has been identified as CVE-2024-37085 and is being actively exploited by several ransomware groups. These include the Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest criminals.
The vulnerability came to light after routine research by Microsoft. The company reported this to VMware, after which parent company Broadcom released a patch last Thursday to mitigate the vulnerability. Unsurprisingly, Microsoft’s researchers urge in their postings that this patch be applied as soon as possible if it is not done already.
Ransomware deployed
Actual attacks that exploited these vulnerabilities often employed ransomware variants such as Akira and Black Basta, according to Microsoft’s Threat Intelligence team. Attackers could simply escalate their privileges to unlimited admin rights by creating a new domain group called ‘ESX Admins’. Each user they added to this group automatically gained admin privileges and bypassed further authentication.
To exploit the vulnerability, hackers needed to execute only these two commands:
- net group “ESX Admins” /domain /add
- net group “ESX Admins” username /domain /add
VMware rated the vulnerability with a score of 6.8 out of 10, which earned the company criticism from security experts who felt that a leak that is so easy to exploit and potentially has such a large impact deserves a higher score. Because ESXi is a Type 1 hypervisor, it interfaces directly with physical servers.
The complete control hackers gained through the vulnerability allowed them to encrypt the hypervisor’s file system, potentially making all hosted vm’s inaccessible. They were also able to penetrate deep into connected networks via the hypervisor.
Login data stolen
In one case, the Storm-0506 group used the leak to deploy Black Basta ransomware. They first installed Qakbot malware, exploited a previously fixed Windows vulnerability to gain more privileges and then applied hacking tools Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the login credentials of two system admins to extend their access to the systems even further.
Next, the hackers encrypted the ESXi file system and used the remote execution tool PsExec to encrypt devices not hosted on the ESXi hypervisor. That failed in some cases thanks to Microsoft Defender springing into action, but only if those devices had the Unified agent for Defender for Endpoint installed.
Also read: VMware fixes flaws in end-of-life versions of ESXi and Workstation