Microsoft has issued a warning about the potential exploitation of a VMware ESXi vulnerability by various ransomware gangs, particularly highlighting the actions of Black Basta. This vulnerability, identified as CVE-2024-37085, poses a medium level of severity and could allow attackers to obtain full administrative permissions on a compromised system, potentially impacting critical network servers.
The discovery of this vulnerability was credited to Microsoft researchers, including Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh. After observing multiple ransomware operators, such as Storm-0506, Storm-1175, and Octo Tempes, utilizing the flaw to deploy ransomware like Black Basta and Akira, Microsoft emphasized the evolving nature of ransomware tactics and the increasing impact on targeted organizations.
Through their investigations into attacks conducted by ransomware operators, Microsoft identified the specific methods used to exploit the ESXi vulnerability. Notably, attackers could leverage the flaw to elevate their privileges to gain full administrative access on the ESXi hypervisor. The vulnerability was further analyzed to reveal that ESXi hypervisors affiliated with an Active Directory domain recognize any member of a domain group named ‘ESX Admins’ as having full administrative access by default.
With the first method of exploitation actively employed by ransomware groups involving the addition of the ESX Admins group and a user to the domain, Microsoft highlighted the critical need for organizations to address this vulnerability promptly. Despite reporting the flaws to VMware earlier in the year, Microsoft underscored the ongoing risk posed by attackers targeting ESXi hypervisors due to their popularity and limited security product options.
The increasing prevalence of ransomware attacks targeting ESXi hypervisors has led to a rise in incident response engagements for Microsoft, particularly emphasizing the impact of these attacks when ransomware is involved. This trend aligns with previous warnings from cybersecurity firms like Mandiant regarding the exploitation of ESXi vulnerabilities by advanced persistent threat groups.
In response to these threats, Microsoft recommended implementing multi-factor authentication, isolating privileged accounts, and enhancing critical asset posture. Additionally, they advised organizations to apply the necessary patches released by VMware to address CVE-2024-37085 and improve overall security measures to mitigate the risk of ransomware attacks.
In collaboration with Broadcom, Microsoft shared insights on the vulnerability and the actions taken to address it, resulting in a software update for ESXi 8.x and the publication of a security advisory. The importance of timely updates and adherence to security guidelines was highlighted to prevent unauthorized access to ESXi hypervisors through Active Directory privileges.
Overall, the ongoing exploitation of the VMware ESXi vulnerability by ransomware gangs underscores the critical need for organizations to address security vulnerabilities promptly and enhance their cybersecurity measures to prevent potential attacks and safeguard critical infrastructure.