CVE-2024-37085: Ransomware Operators Exploit VMware ESXi Hypervisor Vulnerability for Mass Encryption
Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation.
Vulnerability Details
CVE-2024-37085 is an authentication bypass vulnerability with a CVSS score of 6.8, enabling attackers with sufficient Active Directory (AD) permissions to gain full control of an ESXi host that was previously set up to use AD for user management. VMware ESXi hypervisors joined to an Active Directory domain automatically grant full administrative access to any member of a domain group named "ESX Admins," which makes CVE-2024-37085 easy to exploit.
Microsoft researchers provide three possible methods of CVE-2024-37085 exploitation:
1. *Creating a Domain Group: Attackers can create a domain group named "ESX Admins" and add themselves or others to it.
2. *Renaming an Existing Group: Existing domain groups can be renamed to "ESX Admins," allowing attackers to add users to it.
3. *Refreshing Hypervisor Privileges: Attackers can refresh the ESXi hypervisor privileges to exploit the vulnerability.
Exploitation by Ransomware Groups
CVE-2024-37085 has been actively exploited in the wild by various ransomware groups, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, to deploy Akira and Black Basta ransomware. Microsoft reported that these groups utilize a post-compromise technique that allows them to gain full administrative access to the ESXi hypervisors, enabling them to encrypt the hypervisor's file system and disrupt the functionality of hosted servers.
For instance, in a recent incident detailed by Rapid7, the vulnerability was identified in zero-day attacks, highlighting its use by at least half a dozen ransomware operations to encrypt downstream file systems. The exploitation of CVE-2024-37085 allows adversaries to access hosted virtual machines (VMs) and facilitates data exfiltration and lateral movement within the network, further exacerbating the impact of the attack[4][5].
Vulnerable Products
The following products and versions are vulnerable to CVE-2024-37085:
- VMware ESXi 8.0 (fixed in ESXi80U3-24022510)
- VMware ESXi 7.0 (no patch planned)
- VMware Cloud Foundation 5.x (fixed in 5.2)
- VMware Cloud Foundation 4.x (no patch planned)
Mitigation Guidance
Organizations using domain-joined ESXi hypervisors are advised to apply the security updates released by VMware to address CVE-2024-37085. Additionally, they should consider the following best practices to enhance their security posture:
- *Limit Internet Exposure: ESXi servers should never be exposed to the public internet to reduce the risk of initial access.
- *Implement Workarounds: If immediate updates are not possible, organizations should implement the workaround recommendations provided in Broadcom's advisory.
- *Credential Hygiene: Follow best practices for credential management to minimize the risk of unauthorized access.
- *Regular Scanning: Conduct authenticated scans of network devices to identify potential vulnerabilities and blind spots.
By applying the necessary patches and following best practices, organizations can mitigate the risks associated with CVE-2024-37085 and protect their critical infrastructure from ransomware attacks exploiting this vulnerability.
Citations:
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-37085
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37085