Special Features

VMware Explore

Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability

Get those patches applied – all the big dogs are abusing it


Do you have your VMware ESXi hypervisor joined to Active Directory? Well, the latest news from Microsoft serves as a reminder that you might not want to do that given the recently patched vulnerability that has security experts deeply concerned.

CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.

The vulnerability allows attackers who have the necessary privileges to create AD groups – which isn't necessarily an AD admin – to gain full control of an ESXi hypervisor.

This is bad for obvious reasons. Having unfettered access to all running VMs and critical hosted servers offers attackers the ability to steal data, move laterally across the victim's network, or just cause chaos by ending processes and encrypting the file system.

The "how" of the exploit is what caused such a stir in cyber circles. There are three ways of exploiting CVE-2024-37085, but the underlying logic flaw in ESXi enabling them is what's attracted so much attention.

Essentially, if an attacker was able to add an AD group called "ESX Admins," any user added to it would by default be considered an admin.

That's it. That's the exploit.

"This method is actively exploited in the wild by the abovementioned threat actors," Microsoft warned last night. "In this method, if the 'ESX Admins' group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group."

Another way of doing it would be to rename an existing AD group to the same "ESX Admins" name and add themselves to it. Boom – admin privileges. This method hasn't been used in practice, according to Microsoft, but it's equally as feasible to pull off.

The final method Microsoft described pertains more to how the logic flaw persists even if a network admin assigns another AD group to manage the hypervisor. As long as a group called "ESX Admins" exists, the admin privileges of the users added to it aren't immediately removed leaving them open for abuse.

Broadcom said in a security advisory that it already issued a patch for CVE-2024-37085 on June 25, but only updated Cloud Foundation as recently as July 23, which is perhaps why Microsoft's report only just went live.

Jake Williams, VP of research and development at Hunter Strategy and IANS faculty member, was critical of Broadcom's approach to security, especially with regard to the severity it assigned the vulnerability.

He said: "So you create an AD group 'ESX Admins' and by default, VMware is just like 'oh, so you're the admin now?'

"And then to make it dumber, VMware classifies this as a moderate severity, despite knowing ransomware TAs are actively using it?

"I can only conclude Broadcom is not serious about security. I don't know how you conclude anything else. Oh also, there are no patches planned for ESXi 7.0."

Many commentators have questioned why an organization would join their ESXi hosts to AD in the first place, despite it being a relatively common practice.

"Why are ESX servers joined with an active directory in the first place? Because it is convenient to manage admin access to servers using a centralized platform in large corporations," Dr Martin J Kraemer, security awareness advocate at KnowBe4, told The Register

"This is very common but also creates challenges. In many environments, the AD itself might run on a VM. Cold boot can be a nightmare. A chicken and egg problem. How can you start ESX without AD while AD runs on ESX? Admins must think about this. A well-known challenge.

"The other reality is many platforms connected to AD and some of those synchronizing groups and credentials with the AD. Because some applications can be considered privileged sync-partners, e.g. Azure, there might also be a risk of that other platform (Azure) requiring lesser privileges for the same operation that AD would require higher privileges.

"If that happens to be the privilege to create a user group 'ESX Admins' which is then synchronized to AD and string-matched as a super admin group by ESX, you have the perfect combination. A great way in for attackers. One must make sure that privileges are properly matched between systems and their synchronization."

A gift for ransomware groups

Octo Tempest/Scattered Spider, Manatee Tempest/Evil Corp, Storm-0506/Black Basta, and Storm-1175 (which is a known user of Medusa ransomware) are just some of the many groups using this post-exploitation technique in the wild.

Microsoft has seen Akira, Babuk, LockBit, and Kuiper ransomware variants also deployed following the exploitation of ESXi hypervisors, which have become a hot target for financially motivated cybercriminals in recent years.

"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," it said.

Microsoft also said that ESXi hypervisors often fly further under the radar in security operations centers (SOCs) because security solutions often don't have the necessary visibility into ESXi, potentially allowing attackers to go undetected for longer periods of time.

Because of the destruction a successful ESXi attack could cause, attacks have risen sharply. In the past three years, the targeting of ESXi hypervisors has doubled.

Various ransomware-as-a-service (RaaS) groups have developed ESXi-specific variants of their payloads during that time, including Play, Mallox, Cheers, and BlackSuit, which are just some of those who also capitalized on the trend.

Last year, the ESXiArgs variant was running rampant for some time – a project seemingly dedicated only to targeting ESXi, rather than a brand extension of an existing RaaS group.

More recently, Microsoft detailed an attack it observed at a North American engineering company hit by Black Basta ransomware after the criminals exploited CVE-2024-37085.

They gained initial access through a Qakbot infection before exploiting CVE-2023-28252, a Windows CLFS privilege escalation vulnerability. The Python version of the post-exploit toolkit Mimikatz, Pypykatz, was then used to steal the account credentials of domain controllers.

Attackers then took measures to establish persistent access before exploiting CVE-2024-37085 and encrypting the ESXi file system.

Microsoft recommends that all ESXi users install the available patches and scrub up their credential hygiene to prevent future attacks, as well as use a robust vulnerability scanner, if you don't already. ®

Send us news
18 Comments

About a quarter million Comcast subscribers had their data stolen from debt collector

Cable giant says ransomware involved, FBCS keeps schtum

Euro cops arrest 4 including suspected LockBit dev chilling on holiday

And what looks like proof stolen data was never deleted even after ransom paid

Cloud threats have execs the most freaked out because they're not prepared

Ransomware? More like 'we don't care' for everyone but CISOs

Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud

Defenders beware: Data theft, extortion, and backdoors on Storm-0501's agenda

NCA unmasks man it suspects is both 'Evil Corp kingpin' and LockBit affiliate

Aleksandr Ryzhenkov alleged to have extorted around $100M from victims, built 60 LockBit attacks

RansomHub genius tries to put the squeeze on Delaware Libraries

Extorting underfunded public services for $1M isn't a good look

'Patch yesterday': Zimbra mail servers under siege through RCE vuln

Attacks began the day after public disclosure

Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant

Crooks 'like a sysadmin, with a malicious slant'

Rackspace internal monitoring web servers hit by zero-day

Intruders accessed machines via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worry

Evil Corp's deep ties with Russia and NATO member attacks exposed

Ransomware criminals believed to have taken orders from intel services

Ivanti patches exploited admin command execution flaw

Fears over chained attacks affecting EOL product

Forget the Kia Boyz: Crooks could hijack your car with just a smartphone

Plus: UK man charged with compromising firms for stock secrets; ransomware actor foils self; and more