Special Features

VMware Explore

Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability

Get those patches applied – all the big dogs are abusing it


Do you have your VMware ESXi hypervisor joined to Active Directory? Well, the latest news from Microsoft serves as a reminder that you might not want to do that given the recently patched vulnerability that has security experts deeply concerned.

CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.

The vulnerability allows attackers who have the necessary privileges to create AD groups – which isn't necessarily an AD admin – to gain full control of an ESXi hypervisor.

This is bad for obvious reasons. Having unfettered access to all running VMs and critical hosted servers offers attackers the ability to steal data, move laterally across the victim's network, or just cause chaos by ending processes and encrypting the file system.

The "how" of the exploit is what caused such a stir in cyber circles. There are three ways of exploiting CVE-2024-37085, but the underlying logic flaw in ESXi enabling them is what's attracted so much attention.

Essentially, if an attacker was able to add an AD group called "ESX Admins," any user added to it would by default be considered an admin.

That's it. That's the exploit.

"This method is actively exploited in the wild by the abovementioned threat actors," Microsoft warned last night. "In this method, if the 'ESX Admins' group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group."

Another way of doing it would be to rename an existing AD group to the same "ESX Admins" name and add themselves to it. Boom – admin privileges. This method hasn't been used in practice, according to Microsoft, but it's equally as feasible to pull off.

The final method Microsoft described pertains more to how the logic flaw persists even if a network admin assigns another AD group to manage the hypervisor. As long as a group called "ESX Admins" exists, the admin privileges of the users added to it aren't immediately removed leaving them open for abuse.

Broadcom said in a security advisory that it already issued a patch for CVE-2024-37085 on June 25, but only updated Cloud Foundation as recently as July 23, which is perhaps why Microsoft's report only just went live.

Jake Williams, VP of research and development at Hunter Strategy and IANS faculty member, was critical of Broadcom's approach to security, especially with regard to the severity it assigned the vulnerability.

He said: "So you create an AD group 'ESX Admins' and by default, VMware is just like 'oh, so you're the admin now?'

"And then to make it dumber, VMware classifies this as a moderate severity, despite knowing ransomware TAs are actively using it?

"I can only conclude Broadcom is not serious about security. I don't know how you conclude anything else. Oh also, there are no patches planned for ESXi 7.0."

Many commentators have questioned why an organization would join their ESXi hosts to AD in the first place, despite it being a relatively common practice.

"Why are ESX servers joined with an active directory in the first place? Because it is convenient to manage admin access to servers using a centralized platform in large corporations," Dr Martin J Kraemer, security awareness advocate at KnowBe4, told The Register

"This is very common but also creates challenges. In many environments, the AD itself might run on a VM. Cold boot can be a nightmare. A chicken and egg problem. How can you start ESX without AD while AD runs on ESX? Admins must think about this. A well-known challenge.

"The other reality is many platforms connected to AD and some of those synchronizing groups and credentials with the AD. Because some applications can be considered privileged sync-partners, e.g. Azure, there might also be a risk of that other platform (Azure) requiring lesser privileges for the same operation that AD would require higher privileges.

"If that happens to be the privilege to create a user group 'ESX Admins' which is then synchronized to AD and string-matched as a super admin group by ESX, you have the perfect combination. A great way in for attackers. One must make sure that privileges are properly matched between systems and their synchronization."

A gift for ransomware groups

Octo Tempest/Scattered Spider, Manatee Tempest/Evil Corp, Storm-0506/Black Basta, and Storm-1175 (which is a known user of Medusa ransomware) are just some of the many groups using this post-exploitation technique in the wild.

Microsoft has seen Akira, Babuk, LockBit, and Kuiper ransomware variants also deployed following the exploitation of ESXi hypervisors, which have become a hot target for financially motivated cybercriminals in recent years.

"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," it said.

Microsoft also said that ESXi hypervisors often fly further under the radar in security operations centers (SOCs) because security solutions often don't have the necessary visibility into ESXi, potentially allowing attackers to go undetected for longer periods of time.

Because of the destruction a successful ESXi attack could cause, attacks have risen sharply. In the past three years, the targeting of ESXi hypervisors has doubled.

Various ransomware-as-a-service (RaaS) groups have developed ESXi-specific variants of their payloads during that time, including Play, Mallox, Cheers, and BlackSuit, which are just some of those who also capitalized on the trend.

Last year, the ESXiArgs variant was running rampant for some time – a project seemingly dedicated only to targeting ESXi, rather than a brand extension of an existing RaaS group.

More recently, Microsoft detailed an attack it observed at a North American engineering company hit by Black Basta ransomware after the criminals exploited CVE-2024-37085.

They gained initial access through a Qakbot infection before exploiting CVE-2023-28252, a Windows CLFS privilege escalation vulnerability. The Python version of the post-exploit toolkit Mimikatz, Pypykatz, was then used to steal the account credentials of domain controllers.

Attackers then took measures to establish persistent access before exploiting CVE-2024-37085 and encrypting the ESXi file system.

Microsoft recommends that all ESXi users install the available patches and scrub up their credential hygiene to prevent future attacks, as well as use a robust vulnerability scanner, if you don't already. ®

Send us news
18 Comments

Another banner year for ransomware gangs despite takedowns by the cops

And it doesn't take a crystal ball to predict the future

Security pros more confident about fending off ransomware, despite being battered by attacks

Data leak, shmata leak. It will all work out, right?

Cyberattack on NHS causes hospitals to miss cancer care targets

Healthcare chiefs say impact will persist for months

Netgear fixes critical bugs as Five Eyes warn about break-ins at the edge

International security squads all focus on stopping baddies busting in through routers, IoT kit etc

Baguette bandits strike again with ransomware and a side of mockery

Big-game hunting to the extreme

Dems want answers on national security risks posed by hiring freeze, DOGE probes

Are cybersecurity roles included? Are Elon's enforcers vetted? Inquiring minds want to know

If Ransomware Inc was a company, its 2024 results would be a horror show

35% drop in payments across the year as your backups got better and law enforcement made a difference

UK industry leaders unleash hurricane-grade scale for cyberattacks

Freshly minted organization aims to take the guesswork out of incident severity for insurers and policy holders

CDNs: Great for speeding up the internet, bad for location privacy

Also, Subaru web portal spills user deets, Tornado Cash sanctions overturned, a Stark ransomware attack, and more

Ransomware attack at New York blood services provider – donors turned away during shortage crisis

400 hospitals and med centers across 15 states rely on its products

Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses

Think government cybersecurity is bad? Guess again. It’s alarmingly so

Ransomware scum make it personal for <i>Reg</i> readers by impersonating tech support

That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems