Security News > 2024 > July > VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)

Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system.

"ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network," Microsoft's threat analysts explained.

Ransomware operators have been using custom Linux versions of the Akira, Black Basta, Babuk, Lockbit, and other encryptors to encrypt VMware ESXi virtual machines, but leveraging ESXi vulnerabilities such as CVE-2024-37085 means easy encryption of multiple virtual machines in one fell swoop.

According to Microsoft's analysts, ransomware operators like Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest have been exploiting CVE-2024-37085 after gaining access to AD domain controllers by compromising credentials of domain administrators.

They would then create a group named "ESX Admins" in the domain and add a user to it, which automatically conferred to that user full administrative access on the ESXi hypervisor.

"This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier," Microsoft's researchers noted.

News URL

https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited/