[ad_1]
VMware patched a vulnerability in its ESXi hypervisor last week, but Microsoft revealed that the vulnerability has been exploited by ransomware groups to gain administrative privileges.
VMware ESXi is a bare-metal hypervisor that creates and manages virtual machines directly on server hardware, which may include critical servers. CVE-2024-37085 is an authentication bypass vulnerability that could allow a malicious actor with sufficient privileges to gain full access to a domain-joined ESXi host.
This can cause problems when configured Active Directory groups are deleted and recreated, as any users added to a new group named “ESX Admins” will have administrator privileges by default. The domain group can also be simply renamed “ESX Admins” and any new or existing members will have administrative privileges.
But to exploit CVE-2024-37085, hackers would need to gain privileged access to an Active Directory environment, which would have to be gained through a previous successful cyberattack. Organizations would also need to join their ESXi hosts to Active Directory for user management, which many do for convenience.
VMware’s owner Broadcom Released multiple fixes The vulnerability affects devices between June 25 and July 25. The vulnerability affects ESXi versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x, but patches are only available for ESXi 8.0 and VMware Cloud Foundation 5.x. The vulnerability has a relatively low CVSS severity score of 6.8.
However, on July 29, the Microsoft Threat Intelligence team released a Report It is claimed that CVE-2024-37085 has been exploited by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, and led to the deployment of Akira and Black Basta ransomware. Broadcom’s advisory does not mention such in-the-wild exploits.
look: Black Basta ransomware hits more than 500 organizations worldwide
“In a ransomware attack, having full administrative privileges on the ESXi hypervisor means the threat actor can encrypt the file system, which could impact the operation and functionality of the hosted server,” Microsoft said. “It also allows the threat actor to access the hosted VMs and potentially exfiltrate data or move laterally within the network.”
How Malicious Actors Exploit CVE-2024-37085
CVE-2024-37085 An ESXi hypervisor that is joined to an Active Directory domain automatically grants full administrative access to any member of a domain group named “ESX Admins”.
By default, such a group does not exist, but cybercriminals can easily create one using the command “net group ‘ESX Admins’ /domain /add.” The membership of this group is also determined by name rather than security identifier (SID), so adding members is also simple.
“Any domain user with the ability to create groups can escalate privileges to full administrative access to a domain-joined ESXi hypervisor by creating such a group and adding themselves or other users under their control to that group,” Microsoft researchers wrote.
According to Microsoft, cybercriminals can exploit CVE-2024-37085 by doing one of the following:
- Create an Active Directory group called “ESX Admins” and add users to it. This is the only technique that is widely used today.
- Rename any group in the domain to “ESX Admins” and add users to that group or use existing group members.
- Even if the network administrator designates another group in the domain to manage ESXi, members of ESXi Administrators retain their administrative privileges for a period of time.
Microsoft said the number of incident responses targeting ESXi hypervisors has more than doubled in the past three years, suggesting that ESXi hypervisors are a popular target because many security products have limited visibility and protection for ESXi hypervisors, and their file systems allow for one-click, mass encryption.
Since 2021, many ransomware-as-a-service groups have developed malware targeting ESXi, including Royal, Play, cheers and target company.
look: Ransomware cheat sheet: Everything you need to know for 2024
Earlier this year, Storm-0506 attempted to exploit the CVE-2024-37085 vulnerability to deploy Black Basta ransomware on the systems of an unnamed North American engineering company. The group gained initial access through a Qakbot infection and then exploited a Windows CLFS privilege escalation vulnerability. Next, the hackers used the Pypykatz tool to steal credentials for a domain controller and then took other steps to establish persistent access.
Finally, the group exploited the CVE-2024-37085 vulnerability to gain elevated privileges on the ESXi hypervisor. Microsoft observed that the threat actor created an “ESX Administrators” group and added a new user to it, then encrypted the ESXi file system and took control of the virtual machines hosted on the ESXi hypervisor.
Recommendations for VMware ESXi operators
- Install the latest software updates released by VMWare on all domain-joined ESXi hypervisors.
- Employ good credential hygiene practices to prevent threat actors from accessing the privileged accounts needed to exploit CV-2024-37085. Use multi-factor authentication, passwordless authentication methods, and authenticator apps, and isolate privileged accounts from productivity accounts.
- Identify critical assets, such as ESXi hypervisors and vCenter, and ensure they have the latest security updates, adequate monitoring procedures, and backup and recovery plans.
- Identify vulnerabilities in network devices and receive security advisories by using SNMP scanning.
[ad_2]
Source link
