VMware ESXi Vulnerability Exploited by Ransomware Groups to Gain Administrator Access

A recently patched vulnerability in VMware ESXi hypervisors was actively exploited by “several” ransomware groups to gain elevated privileges and deploy file-encrypting malware.

The attacks involve exploiting the CVE-2024-37085 (CVSS score: 6.8) vulnerability, an Active Directory Integration Authentication Bypass that allows an attacker to gain administrative access to the host.

“An attacker with appropriate Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (by default, ‘ESXi Administrators’) after it was removed from AD,” Broadcom-owned VMware noted in a late June 2024 advisory.

In other words, extending privileges in ESXi to root was as simple as creating a new AD group called “ESX Admins” and adding any user to it, or renaming any group in the domain to “ESX Admins” and adding the user to the group, or using an existing group member.

Microsoft, in a new analysis published on July 29, said it had observed that ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest used a post-attack technique to implement Akira and Black Basta attacks.

“VMware ESXi hypervisors joined to an Active Directory domain default to considering any member of a domain group named ‘ESX Admins’ as having full administrative access,” said researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh.

“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not verify that such a group exists when a server is joined to a domain and continue to treat all members of a group with that name with full administrative access, even if the group did not originally exist.”

In one attack conducted by Storm-0506 on an unknown engineering company in North America, the threat actor exploited a vulnerability to gain elevated privileges on ESXi hypervisors after gaining an initial foothold via a QakBot infection and exploiting another vulnerability in the Windows Common Log File System (CLFS) driver (CVE-2023-28252, CVSS score: 7.8) for privilege escalation.

They then deployed Cobalt Strike and Pypykatz, a version of Mimikatz written in Python, to steal domain administrator credentials and move around the network, then removed the SystemBC implant for persistence and abused ESXi administrator access to deploy Black Basta.

“The threat actor was also observed attempting to brute-force Remote Desktop Protocol (RDP) connections to multiple devices as another lateral movement method, and then reinstalling Cobalt Strike and SystemBC,” researchers said. “The threat actor then attempted to manipulate Microsoft Defender antivirus using various tools to avoid detection.”

The news comes after Google-owned Mandiant revealed that a financially motivated threat group called UNC4393 is using initial access gained via a C/C++ backdoor codenamed ZLoader (also known as DELoader, Terdot, or Silent Night) to deliver Black Basta, a departure from QakBot and DarkGate.

“UNC4393 has demonstrated a willingness to work with multiple distribution clusters to achieve its goals,” the threat intelligence firm said. “This latest wave of Silent Night activity, which began earlier this year, was primarily delivered via malvertising. This marked a significant shift away from phishing as the only known means of initial access for UNC4393.”

The attack sequence involves exploiting initial access to drop a Cobalt Strike Beacon and a combination of non-standard and readily available tools to perform reconnaissance, not to mention reliance on RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved using SystemBC.

ZLoader, which resurfaced late last year after a long hiatus, is under active development, with new variants of the malware being spread via a PowerShell backdoor called PowerDash, according to the latest findings from Walmart’s cyber intelligence team.

Over the past few years, ransomware attackers have demonstrated a willingness to use new techniques to maximize impact and avoid detection, increasingly targeting ESXi hypervisors and exploiting recently discovered vulnerabilities in internet-facing servers to attack targets of interest.

For example, Qilin (also known as Agenda) was originally developed in the Go programming language but has since been rebuilt using Rust, indicating a shift toward building malware using memory-safe languages. Recent ransomware attacks have exploited known weaknesses in Fortinet and Veeam Backup & Replication for initial access.

“Qilin ransomware is capable of self-propagating within a local network,” Group-IB said in a recent analysis, adding that it also has the ability to “self-distribute using VMware vCenter.”

Another known malware used in Qilin ransomware attacks is a tool called Killer Ultra, which is designed to disable popular threat detection and response (EDR) software running on the infected host, as well as clear all Windows event logs to remove any signs of the threat.

Organizations are advised to install the latest software updates, practice credential hygiene, implement two-factor authentication, and take steps to secure critical assets with appropriate monitoring procedures and backup and recovery plans.