Security experts are raising alarms about a newly patched VMware ESXi hypervisor vulnerability that is being actively exploited by prominent ransomware groups. CVE-2024-37085, despite its 6.8 CVSS rating, has been leveraged by ransomware gangs such as Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider as a post-compromise technique.
This vulnerability allows attackers with the ability to create Active Directory (AD) groups to gain full control over an ESXi hypervisor. The exploit is surprisingly simple: if an attacker creates an AD group named “ESX Admins,” any user added to it automatically gains admin privileges on the ESXi hypervisor. Alternatively, renaming an existing AD group to “ESX Admins” and adding themselves to it achieves the same result.
The exploit has sparked significant concern due to its ease of execution and the high stakes involved. Attackers with administrative control over ESXi hypervisors can steal data, move laterally within networks, or disrupt operations by ending processes and encrypting file systems.
Microsoft has issued warnings about the active exploitation of this method by various threat actors. While Broadcom released a patch for the vulnerability on June 25, the update for Cloud Foundation was only issued on July 23. Criticism has been directed at Broadcom for downplaying the severity of the vulnerability, especially given its active use by ransomware groups.
Jake Williams, VP of research and development at Hunter Strategy, criticized Broadcom’s handling of the issue, questioning their commitment to security. He pointed out that there are no patches planned for ESXi 7.0, further complicating the situation for organizations using older versions.
VMware ESXi hypervisors are getting exploited to spread ransomware. How ransomware gangs are achieving this and what to do about it: https://t.co/ll3sqOuyUe
— Dark Reading (@DarkReading) July 31, 2024
The vulnerability has raised questions about the practice of joining ESXi hosts to AD. While this setup simplifies administrative management in large corporations, it also introduces significant security challenges, as explained by Dr. Martin J Kraemer, a security awareness advocate at KnowBe4.
Ransomware groups such as Octo Tempest, Manatee Tempest, Storm-0506, and Storm-1175 have been actively exploiting this vulnerability. Microsoft has observed a notable increase in ransomware attacks targeting ESXi hypervisors, which are often overlooked in security operations centers (SOCs) due to their limited visibility in security solutions.
In response, Microsoft advises all ESXi users to apply the available patches, enhance their credential hygiene, and use robust vulnerability scanners to prevent future attacks.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
