Ransomware Operators Exploit ESXi Hypervisor Vulnerability for Mass Encryption

genreate image in 16:9 ratio related to the topic. Ransomware Operators Exploit ESXi Hypervisor Vulnerability for Mass Encryption

Overview

Microsoft researchers have uncovered a significant vulnerability in ESXi hypervisors that ransomware operators are actively exploiting to obtain full administrative permissions on domain-joined ESXi systems. This vulnerability, tracked as CVE-2024-37085, enables attackers to compromise critical infrastructure by targeting ESXi hypervisors, which host virtual machines (VMs) in enterprise networks. The exploitation of this vulnerability not only allows attackers to encrypt the hypervisor’s file system but also affects the hosted VMs, leading to severe disruptions in organizational operations.

What is ESXi?

ESXi is a bare-metal hypervisor developed by VMware, designed to run directly on physical servers. It provides virtualization capabilities, enabling multiple virtual machines to run on the same physical hardware. ESXi hypervisors often host critical systems within corporate networks, making them high-value targets for ransomware operators. The ability to gain full administrative access to an ESXi hypervisor grants attackers control over hosted VMs, paving the way for devastating ransomware attacks.

CVE-2024-37085 Vulnerability Analysis

Microsoft’s security team identified a novel post-compromise technique leveraged by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. This technique has been associated with ransomware families like Akira and Black Basta. The process involves executing the following commands to create a group called “ESX Admins” within the domain and adding a user to it:

net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add

The above commands enable attackers to exploit the vulnerability, elevating privileges to gain full administrative access on domain-joined ESXi hypervisors. Microsoft reported this vulnerability to VMware as part of its responsible disclosure process earlier this year.

Exploitation Methods

Microsoft researchers highlighted three primary methods through which this vulnerability can be exploited:

  1. Creating a New “ESX Admins” Group:

Any domain user with group creation permissions can escalate privileges by creating an “ESX Admins” group and adding themselves or other controlled users to it. This method has been actively observed in the wild.

 

2. Renaming an Existing Group to “ESX Admins”:

In this approach, attackers rename an existing group to “ESX Admins” and then add a user or utilize an existing member to escalate privileges. This method has not yet been observed in active exploitation.

 

3. Privileges Refresh on ESXi Hypervisors:

Even if administrators assign a different group for managing the ESXi hypervisor, privileges assigned to the “ESX Admins” group are not immediately revoked. This oversight can be abused by attackers, although no evidence of its exploitation has been observed so far.

Impact of Successful Exploitation

Once attackers achieve full administrative access to an ESXi hypervisor, they can encrypt the hypervisor’s file system. This mass encryption capability disrupts all hosted VMs, potentially crippling an organization’s critical operations. Such attacks often result in significant financial and reputational damage.

Why Are Ransomware Operators Targeting ESXi Hypervisors?

ESXi hypervisors have become a preferred target for ransomware groups due to:

  1. Limited Security Visibility:

Many security products struggle to provide adequate visibility and protection for ESXi hypervisors, making them attractive targets.

2. Mass Encryption Efficiency:

Encrypting the file system of an ESXi hypervisor impacts all hosted VMs simultaneously. This one-click mass encryption capability reduces the attackers’ need for complex lateral movement and credential theft.

 

3. Critical Infrastructure Impact:

Since ESXi hypervisors often host mission-critical systems, their compromise leads to widespread disruption, increasing the pressure on victims to pay the ransom.

 

4. Underdeveloped Security Practices:

Some organizations lack rigorous monitoring and patching practices for their virtualization infrastructure, leaving ESXi hypervisors vulnerable to exploitation.

 

Real-World Attack Example

Microsoft researchers tracked an attack by the ransomware operator Storm-0506, which exploited CVE-2024-37085 during a campaign deploying Black Basta ransomware. The attack targeted an engineering firm in North America. Storm-0506 gained initial access via a Qakbot infection and escalated privileges using a Windows Common Log File System vulnerability (CVE-2023-28252). The attackers deployed tools like Cobalt Strike and a Python version of Mimikatz to steal domain administrator credentials before exploiting the ESXi vulnerability.

Another notable example involves Octo Tempest, which used the same technique to compromise a healthcare organization, disrupting its virtualized systems and demanding a significant ransom. These cases highlight the widespread appeal of ESXi-targeted attacks across various industries.

Mitigation and Protection Guidance

Organizations using domain-joined ESXi hypervisors must prioritize mitigating this vulnerability to prevent ransomware attacks. Microsoft recommends the following measures:

1. Apply Security Updates

Ensure the latest security updates from VMware addressing CVE-2024-37085 are installed on all domain-joined ESXi hypervisors. If updates cannot be applied immediately, implement the following steps to reduce risk:

  • Verify the existence and harden the “ESX Admins” group.
  • Manually deny access by the “ESX Admins” group through ESXi hypervisor settings. Use the advanced host setting:

Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd

 

  • Assign the admin group to a different group on the ESXi hypervisor.
  • Configure custom detections in XDR/SIEM for the “ESX Admins” group name.
  • Forward ESXi logs to a SIEM system and monitor for suspicious administrative access.

2. Enhance Credential Hygiene

Preventing attackers from exploiting highly privileged accounts is critical. Microsoft recommends:

  • Enforcing multifactor authentication (MFA) for all accounts. Remove any exemptions and strictly require MFA for all devices, locations, and scenarios.
  • Enabling passwordless authentication methods, such as Windows Hello, FIDO keys, or Microsoft Authenticator.
  • Isolating privileged accounts from regular productivity accounts to safeguard administrative access. Follow best practices for privileged access management.

3. Secure Critical Assets

Identify and protect critical assets, such as ESXi hypervisors and vCenters, by:

  • Applying the latest security updates.
  • Implementing robust monitoring procedures.
  • Establishing comprehensive backup and recovery plans.

4. Identify Vulnerable Assets

Leverage tools like Microsoft Defender Vulnerability Management for continuous vulnerability assessment and risk reduction for ESXi hypervisors. Incorporate regular vulnerability scanning into your security routine to address new risks promptly.

5. Train Staff on Security Awareness

Conduct regular training sessions for IT and security teams to:

  • Recognize signs of ransomware activity.
  • Implement best practices for managing virtualization infrastructure securely.
  • Understand the importance of patch management and incident response protocols.

6. Develop Incident Response Plans

Organizations should have a well-documented incident response plan specific to virtualization infrastructure. Key components include:

  • Predefined roles and responsibilities for response teams.
  • Playbooks for addressing ransomware attacks on ESXi hypervisors.
  • Regular simulation exercises to test the effectiveness of the plan.

Closing Summary

The exploitation of CVE-2024-37085 underscores the critical need for robust security measures in protecting ESXi hypervisors. Ransomware operators’ ability to leverage this vulnerability for mass encryption highlights the importance of proactive patch management, credential hygiene, and monitoring. By implementing the recommended mitigation strategies, organizations can significantly reduce the risk of ransomware attacks and safeguard their virtualized environments.

Protecting ESXi hypervisors is not just a technical necessity but a strategic imperative to ensure the continuity of operations in an increasingly digitized world.

Related posts:

  1. Automating Python Uninstallation with PowerShell
  2. Mitigate Dell supportAssist Privilege Escalation vulnerability
  3. Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
  4. Internet Shortcut Files Security Feature Bypass Vulnerability
  5. Jenkins Core Remote Code Execution Vulnerability (CVE-2024-23897)
  6. How to Fix Weak SSL/TLS Key Exchange vulnerability (Diffie-Hellman)
  7. Birthday attacks against TLS ciphers with 64bit (Sweet32)
  8. [Solved] Windows Speculative Execution Configuration Check Vulnerabilities
  9. [Solved] CVE-2024-12686 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
  10. [Solved] CVE-2023-48365 Qlik Sense HTTP Tunneling Vulnerability

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top