Microsoft is urging users of VMware’s ESXi hypervisor to take immediate action to counter ongoing attacks by ransomware groups that give them full administrative control of the servers on which the product runs.
The vulnerability, tracked as CVE-2024-37085, allows attackers who have already obtained limited system privileges on a targeted server to gain full administrative control of the ESXi hypervisor. Attackers affiliated with several ransomware groups, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, have been exploiting the flaw for months in numerous post-compromise attacks, that is, after limited access has already been obtained through other means.
Default administrator rights assigned
Full administrative control of the hypervisor gives attackers a variety of capabilities, including encrypting the file system and taking down servers hosted on it. Hypervisor control can also allow attackers to access hosted virtual machines to exfiltrate data or extend their reach across a network. Microsoft discovered the exploited vulnerability as part of its normal attack investigation and reported it to VMware. VMware parent company Broadcom patched the vulnerability on Thursday.
“Microsoft security researchers have identified a new post-compromise technique used by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in multiple attacks,” members of the Microsoft Threat Intelligence team wrote Monday. “In several cases, use of this technique led to the deployment of Akira and Black Basta ransomware.”
The article went on to document a surprising discovery: elevating hypervisor privileges on ESXi to full administrator status was as simple as creating a new domain group called “ESX Administrators.” From there, any user assigned to the group, including newly created ones, automatically became an administrator, with no authentication required. As Microsoft’s article explains:
Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain assume that any member of a domain group named “ESX Admins” has full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate the existence of such a group when the server is joined to a domain and always treat all members of a group with this name as having full administrative access, even if the group did not originally exist. Additionally, group membership is determined by name, not by security identifier (SID).
Creating the new domain group can be done with just two commands:
network group “ESX Admins” /domain /add
network group “ESX Admins” username /domain /add
According to them, over the past year, ransomware authors have increasingly targeted ESXi hypervisors in attacks that allow them to encrypt data en masse with a few “clicks.” By encrypting the hypervisor’s file system, all virtual machines hosted on it are also encrypted. The researchers also said that many security products have limited visibility into and weak protection of the ESXi hypervisor.
The ease of exploitation, coupled with VMware’s medium severity rating of 6.8 out of 10, has drawn criticism from some seasoned security professionals.
ESXi is a Type 1 hypervisor, also known as a bare-metal hypervisor, meaning it is a full-fledged operating system installed directly on a physical server. Unlike Type 2 hypervisors, Type 1 hypervisors do not run on top of an operating system such as Windows or Linux. Instead, guest operating systems run on top of them. Gaining control of the ESXi hypervisor gives attackers enormous power.
Microsoft researchers described an attack they observed, carried out by the Storm-0506 threat group, to install ransomware known as Black Basta. As intermediate steps, Storm-0506 installed malware known as Qakbot and exploited a previously patched Windows vulnerability to facilitate the installation of two hacking tools, one known as Cobalt Strike and the other Mimikatz. The researchers wrote:
Earlier this year, an engineering firm in North America was hit by a Black Basta ransomware deployment by Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors within the organization.
The threat actor gained initial access to the organization via a Qakbot infection, followed by exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to escalate privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and move laterally to four domain controllers.
On the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to force Remote Desktop Protocol (RDP) connections to multiple devices as another lateral move method, and then reinstall Cobalt Strike and SystemBC. The threat actor then attempted to tamper with Microsoft Defender Antivirus using various tools to avoid detection.
Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it. As a result of these actions, Microsoft observed that this attack resulted in encryption of the ESXi file system and loss of functionality of virtual machines hosted on the ESXi hypervisor. The actor was also observed using PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts on devices that had the Unified Agent for Defender for Endpoint installed.
Enlarge / The attack chain used by Storm-0506.
Microsoft
Anyone with administrative responsibility for ESXi hypervisors should prioritize the investigation and remediation of this vulnerability. Microsoft’s release provides several methods to identify suspicious changes to the ESX Administrators group or other potential signs that this vulnerability is being exploited.
