Threat actors are exploiting a VMware ESXi bug which could be “catastrophic” for affected firms

A critical flaw in the VMware ESXi hypervisor is being exploited in the wild by ransomware groups, according to research from Microsoft , less than a week after VMWare issued a patch to address the issue.

The vulnerability, discovered by researchers at Microsoft, was introduced with the release of a new patch ESXi 8.0 U3. After being notified, VMware’s parent company Broadcom issued an advisory acknowledging the bug.

CVE-2024-37085 , designated as a 6.8 on the CVSS, is an authentication bypass vulnerability which if successfully exploited would allow an attacker to obtain full administrative permissions on domain-joined ESXi hypervisors , Microsoft warned.

“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESX Admins' by default) after it was deleted from AD,” Broadcom’s advisory outlined.

With full administrative access to the ESXi hypervisors, the hacker could then encrypt the file system of the hypervisor, inhibiting the functionality of any hosted servers.

Microsoft researchers added that the threat actor would also be able to access any hosted virtual machines (VM) and potentially exfiltrate data or move laterally within the network.

Scott Caveza, staff research engineer at Tenable , cautioned that although its CVSS rating was moderate, successful exploitation of the flaw could be “catastrophic” for businesses.

"While the security advisory for CVE-2024-37085 provided a moderate severity rating, a CVSSv3 score of 6.8 and Tenable Vulnerability Prioritization rating of medium, successful exploitation can be catastrophic for impacted organizations.”

Microsoft outlines a variety of methods attackers can use to compromise VMware ESXI hosts

Microsoft detailed three possible methods to exploit CVE-2024-37085, the first of which involves adding the ‘ESX Admins’ group to the domain and adding a user to it.

“In this method, if the ‘ESX Admins’ group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.”

The second method builds on the first, but requires access to a user with the ability to rename one of the groups to ‘ESX Admins’, allowing them to add a pre-existing user to the group, which immediately escalates their privileges to full access.

Finally, Microsoft added that even if the network administrator assigns a different group to manage the ESXi hypervisor, the full administrative privileges to members of the ‘ESXi Admins’ are not removed, but this approach was not observed in the wild during its research.

Caveza noted that the analysis from Microsoft indicates once the initial exploit is completed, the variety of attack paths available to the attacker are all relatively easy to take advantage of.

Thankfully, however, he said successful exploitation is dependent on the host having been configured to use an active directory for user management, which poses something of a barrier to entry for the attacker.

“While the complexity is low, an attacker first needs elevated privileges in order to modify the active directory (AD) configuration on the affected host… Despite this significant barrier to entry, we cannot underestimate ransomware groups' abilities and determination to escalate privileges and advance their attack path once they obtain initial access ,” he explained

“While a medium severity vulnerability may be a lower priority for patching, this is another example of how attackers will seek out and exploit any unpatched vulnerability they can, often chaining together multiple vulnerabilities in their quest for complete takeover of a breached network."

ESXi hypervisors a “favored target for threat actors”

Microsoft’s report highlighted previous evidence of ransomware operators targeting ESXi hypervisors, noting the popularity of the product in corporate networks has made it a “favored target for threat actors’.

Hypervisors like these are convenient targets for attackers who want to evade detection by security operations centers (SOCs), Microsoft stated, as many security products have limited visibility and protection for an ESXi hypervisor.

Moreover, an EXSi hypervisor allows for the mass encryption of the entire file system with one click, leaving them with more time to focus on lateral movement or credential theft once they are inside the network.

These reasons make them juicy targets for threat actors, the report explained, stating that the number of Microsoft incident response engagements involving ESXi hypervisors has more than doubled in the last three years.

Navigate security challenges

This popularity is reflected by the number of groups which support or sell ESXi encryptors such as Akira or Black Basta , including Storm-0506, Storm-1175, Scattered Spider , and EvilCorp.

To mitigate the threats posed by this flaw, the report recommended any organization that uses domain-joined ESXi hypervisors to apply VMware’s security update as soon as possible, evaluate their credential hygiene to prevent hackers from the privileges they would need to exploit the vulnerability.