Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability

Do you have your VMware ESXi hypervisor joined to Active Directory? Well, the latest news from Microsoft serves as a reminder that you might not want to do that given the recently patched vulnerability that has security experts deeply concerned.

CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.

The vulnerability allows attackers who have the necessary privileges to create AD groups – which isn't necessarily an AD admin – to gain full control of an ESXi hypervisor.

This is bad for obvious reasons. Having unfettered access to all running VMs and critical hosted servers offers attackers the ability to steal data, move laterally across the victim's network, or just cause chaos by ending processes and encrypting the file system.

The "how" of the exploit is what caused such a stir in cyber circles. There are three ways of exploiting CVE-2024-37085, but the underlying logic flaw in ESXi enabling them is what's attracted so much attention.

Essentially, if an attacker was able to add an AD group called "ESX Admins," any user added to it would by default be considered an admin.

That's it. That's the exploit.

"This method is actively exploited in the wild by the abovementioned threat actors," Microsoft warned last night. "In this method, if the 'ESX Admins' group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group."

Another way of doing it would be to rename an existing AD group to the same "ESX Admins" name and add themselves to it. Boom – admin privileges. This method hasn't been used in practice, according to Microsoft, but it's equally as feasible to pull off.

The final method Microsoft described pertains more to how the logic flaw persists even if a network admin assigns another AD group to manage the hypervisor. As long as a group called "ESX Admins" exists, the admin privileges of the users added to it aren't immediately removed leaving them open for abuse.

Broadcom said in a security advisory that it already issued a patch for CVE-2024-37085 on June 25, but only updated Cloud Foundation as recently as July 23, which is perhaps why Microsoft's report only just went live.

Jake Williams, VP of research and development at Hunter Strategy and IANS faculty member, was critical of Broadcom's approach to security, especially with regard to the severity it assigned the vulnerability.

He said: "So you create an AD group 'ESX Admins' and by default, VMware is just like 'oh, so you're the admin now?'

"And then to make it dumber, VMware classifies this as a moderate severity, despite knowing ransomware TAs are actively using it?

"I can only conclude Broadcom is not serious about security. I don't know how you conclude anything else. Oh also, there are no patches planned for ESXi 7.0."

Many commentators have questioned why an organization would join their ESXi hosts to AD in the first place, despite it being a relatively common practice.

"Why are ESX servers joined with an active directory in the first place? Because it is convenient to manage admin access to servers using a centralized platform in large corporations," Dr Martin J Kraemer, security awareness advocate at KnowBe4, told The Register. 

"This is very common but also creates challenges. In many environments, the AD itself might run on a VM. Cold boot can be a nightmare. A chicken and egg problem. How can you start ESX without AD while AD runs on ESX? Admins must think about this. A well-known challenge.

"The other reality is many platforms connected to AD and some of those synchronizing groups and credentials with the AD. Because some applications can be considered privileged sync-partners, e.g. Azure, there might also be a risk of that other platform (Azure) requiring lesser privileges for the same operation that AD would require higher privileges.

"If that happens to be the privilege to create a user group 'ESX Admins' which is then synchronized to AD and string-matched as a super admin group by ESX, you have the perfect combination. A great way in for attackers. One must make sure that privileges are properly matched between systems and their synchronization."

A gift for ransomware groups

Octo Tempest/Scattered Spider, Manatee Tempest/Evil Corp, Storm-0506/Black Basta, and Storm-1175 (which is a known user of Medusa ransomware) are just some of the many groups using this post-exploitation technique in the wild.

• Secure Boot useless on hundreds of PCs from major vendors after key leak
• North Korean chap charged for attacks on US hospitals, military, NASA – and even China
• Beware of fake CrowdStrike domains pumping out Lumma infostealing malware
• Administrators have update lessons to learn from the CrowdStrike outage

Microsoft has seen Akira, Babuk, LockBit, and Kuiper ransomware variants also deployed following the exploitation of ESXi hypervisors, which have become a hot target for financially motivated cybercriminals in recent years.

"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," it said.

Microsoft also said that ESXi hypervisors often fly further under the radar in security operations centers (SOCs) because security solutions often don't have the necessary visibility into ESXi, potentially allowing attackers to go undetected for longer periods of time.

Because of the destruction a successful ESXi attack could cause, attacks have risen sharply. In the past three years, the targeting of ESXi hypervisors has doubled.

Various ransomware-as-a-service (RaaS) groups have developed ESXi-specific variants of their payloads during that time, including Play, Mallox, Cheers, and BlackSuit, which are just some of those who also capitalized on the trend.

Last year, the ESXiArgs variant was running rampant for some time – a project seemingly dedicated only to targeting ESXi, rather than a brand extension of an existing RaaS group.

More recently, Microsoft detailed an attack it observed at a North American engineering company hit by Black Basta ransomware after the criminals exploited CVE-2024-37085.

They gained initial access through a Qakbot infection before exploiting CVE-2023-28252, a Windows CLFS privilege escalation vulnerability. The Python version of the post-exploit toolkit Mimikatz, Pypykatz, was then used to steal the account credentials of domain controllers.

Attackers then took measures to establish persistent access before exploiting CVE-2024-37085 and encrypting the ESXi file system.

Microsoft recommends that all ESXi users install the available patches and scrub up their credential hygiene to prevent future attacks, as well as use a robust vulnerability scanner, if you don't already. ®