Security News > 2024 > July > VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)
Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system.
"ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network," Microsoft's threat analysts explained.
Ransomware operators have been using custom Linux versions of the Akira, Black Basta, Babuk, Lockbit, and other encryptors to encrypt VMware ESXi virtual machines, but leveraging ESXi vulnerabilities such as CVE-2024-37085 means easy encryption of multiple virtual machines in one fell swoop.
According to Microsoft's analysts, ransomware operators like Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest have been exploiting CVE-2024-37085 after gaining access to AD domain controllers by compromising credentials of domain administrators.
They would then create a group named "ESX Admins" in the domain and add a user to it, which automatically conferred to that user full administrative access on the ESXi hypervisor.
"This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier," Microsoft's researchers noted.
News URL
https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited/
Related news
- Qualcomm zero-day under targeted exploitation (CVE-2024-43047) (source)
- Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) (source)
- Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680) (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) (source)
- Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-25 | CVE-2024-37085 | Improper Authentication vulnerability in VMWare Cloud Foundation and Esxi VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. | 7.2 |