Threat actors utilizing the notorious BlackByte ransomware strain have added to the increasing number of cybercriminals targeting a recent authentication bypass vulnerability in VMware ESXi in order to compromise enterprise network infrastructure.
The vulnerability, known as CVE-2024-37085, allows attackers with sufficient access to Active Directory (AD) to gain full access to an ESXi host if that host utilizes AD for user management.
Entities such as Microsoft and other security vendors have previously noted ransomware groups like Black Basta (also known as Storm-0506), Manatee Tempest, Scattered Spider (also known as Octo Tempest), and Storm-1175 leveraging CVE-2024-37085 to deploy ransomware strains like Akira and Black Basta. These adversaries would use their AD privileges to create or modify a group named “ESX Admins” and utilize the group to access the ESXi hypervisor as a fully privileged user.
BlackByte has shifted from its usual practice of exploiting public-facing vulnerabilities, such as the ProxyShell flaw in Microsoft Exchange, to target CVE-2024-37085 in recent attacks. Researchers from Cisco Talos who observed BlackByte threat actors exploiting this vulnerability described it as part of various changes made by the group to outsmart defenders. These changes include the use of a new C/C++ encryptor named BlackByteNT, dropping up to four vulnerable drivers on compromised systems, and leveraging the victim organization’s AD credentials for self-propagation.
The investigation by Talos revealed that organizations in professional, scientific, and technical services sectors are particularly vulnerable to attacks involving the utilization of legitimate yet vulnerable drivers to bypass security mechanisms — a tactic referred to as Bring Your Own Vulnerable Driver (BYOVD).
According to Talos researchers James Nutland, Craig Jackson, and Terryn Valikodath, BlackByte’s shift in programming languages from C# to Go and then C/C++ in the latest encryptor version, BlackByteNT, is a deliberate move to enhance the malware’s resistance to detection and analysis. The self-spreading nature of the BlackByte encryptor poses challenges for defenders, especially when combined with the BYOVD technique, which can hinder security controls during containment and eradication efforts.
The shift by BlackByte to target vulnerabilities like CVE-2024-37085 in ESXi illustrates how threat actors continually evolve their tactics to stay ahead of defenders, according to Darren Guccione, CEO and co-founder of Keeper Security. Exploiting vulnerabilities in ESXi is seen as a concentrated effort to compromise the core infrastructure of enterprise networks, considering that ESXi servers often host multiple virtual machines, making them prime targets for ransomware groups.
Sygnia, which investigated numerous ransomware attacks against VMWare ESXi and other virtualized environments, noted a common pattern in these attacks. Attackers typically gain initial access through phishing attacks, vulnerability exploits, or malicious downloads, then proceed to manipulate domain group memberships or utilize RDP hijacking to obtain ESXi host credentials, execute ransomware, compromise backups, and exfiltrate data.
Attacks on ESXi environments heighten the pressure on organizations and their security teams to maintain robust security measures, including effective vulnerability management, threat intelligence sharing, and incident response protocols to keep pace with evolving adversary tactics. Mitigations for CVE-2024-37085, such as disconnecting ESXi from AD, removing AD groups managing ESXi, and patching to fix the vulnerability, pose challenges due to the broad attack surface and ease of exploitation. This underscores the importance of proactive measures to protect against such threats and minimize potential damage.