Descriptive Alt Text

Zero Day Exploit: VMWare ESXi Auth Bypass Exploited by Ransomware Attackers

July 31, 2024 Reading Time: 3 minutes

Microsoft has warned that ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability in cyber attacks.

The vulnerability, tracked as CVE-2024-37085 , is a medium severity flaw (CVSS Score 5.3-6.8) which enables a new user to join an ‘ESX Admins’ group. The user will automatically be assigned full privileges on the ESXi hypervisor.

Vulnerability Overview

Broadcom explains that a malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host configured to use AD for user management by re-creating the default AD group “ESX Admins” after it has been deleted. This group is automatically given the VIM Admin role when an ESXi host joins an AD domain.

Although a successful attack requires high privileges and user interaction, Microsoft reports that several ransomware gangs have exploited this vulnerability to escalate to full admin privileges on domain-joined hypervisors.

This access allows them to steal sensitive data from hosted virtual machines, move laterally through the network, and encrypt the ESXi hypervisor’s file system.

Microsoft has identified three tactics that attackers can use to exploit the CVE-2024-37085 vulnerability in VMware ESXi hypervisors:

  • Adding the “ESX Admins” Group: Creating the “ESX Admins” group in the domain and adding a user to it.
  • Renaming Existing Groups: Renaming any existing group in the domain to “ESX Admins” and adding a user to this group, or using an existing group member.
  • Privileges Refresh: Performing an ESXi hypervisor privileges refresh, which assigns admin privileges to the “ESX Admins” group without removing existing privileges.

Impact on Organisations

  • ESXi Hypervisors: As a bare-metal hypervisor installed directly onto physical servers, ESXi provides direct access and control of underlying resources. These hypervisors often host critical virtual machines (VMs) that are essential for network operations.
  • Ransomware Encryption: By exploiting ESXi vulnerabilities like CVE-2024-37085, ransomware operators can encrypt multiple VMs in a single attack. Custom Linux versions of ransomware like Akira, Black Basta, Babuk, Lockbit, and others have been used in these attacks.

Mitigating the Risk

Upgrade to the Latest Versions

Admins should immediately upgrade to ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2, where the vulnerability has been fixed. For those using ESXi 7.0 and VMware Cloud Foundation v4.x, applying the available workaround is crucial, as these versions will not receive a fix.

Monitor for Suspicious Activities

Regularly check for any unauthorised modifications or the creation of the ESX Admins group. Ensuring that this group does not exist or is not manipulated can prevent unauthorised access.

For tailored solutions to safeguard your business from cybersecurity threats, contact our team today .

Fill out the form below to get started, and let our experts help you enhance your cybersecurity posture. 👇

Recent Posts

Let's Talk About Your Project

Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.

Postal address

The BASE Enterprise Centre

Railway Road

Stranorlar

Co. Donegal

Ireland

F93 VAK6

Phone number
IE: +353 74 970 7876 | UK: +44 20 4538 2818
Email
info@secoraconsulting.com

To learn more about your data and privacy rights, visit our Privacy Statement.