Photo courtesy of Microsoft
Microsoft researchers have recently uncovered a significant vulnerability in ESXi hypervisors, CVE-2024-37085, which is being actively exploited by several ransomware operators. This vulnerability allows attackers to obtain full administrative permissions on domain-joined ESXi hypervisors, posing a substantial threat to network security.
Understanding the Vulnerability
ESXi is a bare-metal hypervisor installed directly onto physical servers, providing direct access and control over underlying resources. It hosts virtual machines (VMs) that often include critical servers within a network. In a ransomware attack, gaining full administrative permissions on an ESXi hypervisor can enable threat actors to encrypt the file system, disrupt hosted servers, exfiltrate data, or move laterally within the network.
The identified vulnerability involves a domain group named "ESX Admins." Members of this group are granted full administrative access to the ESXi hypervisor by default, without proper validation. Microsoft disclosed this finding to VMware through Coordinated Vulnerability Disclosure (CVD), and VMware has since released a security update. Administrators are strongly encouraged to apply these updates to protect their servers from related attacks.
Vulnerability Analysis and Exploitation Techniques
Microsoft security researchers have detailed the exploitation techniques used by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. These techniques have been employed in attacks leading to Akira and Black Basta ransomware deployments. The primary method involves creating a domain group named "ESX Admins".
By doing so, attackers exploit the vulnerability in domain-joined ESXi hypervisors, elevating their privileges to full administrative access. Further analysis revealed that ESXi hypervisors joined to an Active Directory domain grant full administrative access to any member of a group named "ESX Admins," regardless of whether this group originally existed.
Microsoft identified three methods for exploiting this vulnerability:
- Adding the "ESX Admins" Group: This method is actively exploited in the wild. Attackers create the group and add themselves or other controlled users to it, gaining administrative access.
- Renaming an Existing Group: Attackers can rename any group to "ESX Admins" and add a user to it, though this method has not been observed in the wild.
- Privileges Refresh: Even if another group is assigned as the management group for the ESXi hypervisor, full administrative privileges for "ESX Admins" are not immediately removed, allowing potential exploitation. This method has also not been observed in the wild.
Impact and Case Study
Successful exploitation leads to full administrative access to ESXi hypervisors, enabling threat actors to encrypt the hypervisor's file system and potentially exfiltrate data or move laterally within the network. Ransomware operators targeting ESXi hypervisors demonstrate the evolving sophistication of cyber threats.
Earlier this year, an engineering firm in North America was impacted by Black Basta ransomware deployed by Storm-0506. The threat actor gained initial access via Qakbot infection, followed by exploiting a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges. They then created the "ESX Admins" group, added a user to it, and encrypted the ESXi file system, disrupting the hosted VMs.
Mitigation and Protection Guidance
To safeguard against this vulnerability, Microsoft recommends the following measures:
- Install Software Updates: Apply the latest security updates from VMware on all domain-joined ESXi hypervisors. If updates cannot be installed immediately, consider these interim steps:
- Ensure the "ESX Admins" group exists and is hardened.
- Manually deny access to this group by modifying ESXi hypervisor settings.
- Change the admin group to a different group in the ESXi hypervisor.
- Add custom detections in XDR/SIEM for the new group name.
- Configure ESXi logs to be sent to a SIEM system and monitor for suspicious full administrative access.
- Credential Hygiene: Protect highly privileged accounts within the organization by:
- Enforcing multifactor authentication (MFA) on all accounts and removing exclusions.
- Enabling passwordless authentication methods where possible.
- Isolating privileged accounts from productivity accounts.
- Improve Critical Asset Posture: Identify and secure critical assets such as ESXi hypervisors and vCenters with the latest updates, proper monitoring procedures, and backup and recovery plans.
- Identify Vulnerable Assets: Use authenticated scans of network devices to identify vulnerabilities and receive security recommendations.
How SentinelOne and Leargas Security’s XDR Can Help
Leveraging advanced security solutions like SentinelOne and Leargas Security’s XDR can significantly enhance your organization's ability to discover and remediate this vulnerability.
SentinelOne: SentinelOne’s AI-powered platform provides comprehensive endpoint protection by autonomously detecting and mitigating threats in real-time. Its behavioral AI can identify suspicious activities, such as the creation or renaming of the "ESX Admins" group, and take immediate action to contain and remediate threats. SentinelOne also offers deep visibility into endpoint activities, which helps in identifying and stopping ransomware attacks before they can cause significant damage.
Leargas Security’s XDR: Leargas Security’s XDR platform extends detection and response capabilities across various security layers, providing a unified view of your security posture. By integrating data from multiple sources, Leargas Security’s XDR can detect anomalies and potential threats associated with the "ESX Admins" group exploitation. Custom detections can be configured to monitor for specific behaviors linked to this vulnerability. Additionally, the platform’s automated response capabilities ensure that identified threats are swiftly neutralized, minimizing the risk of widespread impact.
Conclusion
The discovery of CVE-2024-37085 highlights the critical need for ongoing collaboration among researchers, vendors, and the security community to enhance defenses across the ecosystem. By applying the recommended updates, following best practices, and leveraging advanced security solutions like SentinelOne and Leargas Security’s XDR, organizations can protect their ESXi hypervisors from sophisticated ransomware attacks. At Critical Path Security, we are committed to sharing intelligence and working with the security community to help safeguard users and organizations across platforms.