Security News > 2024 > July > VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)

VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)
2024-07-30 10:56

Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system.

"ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network," Microsoft's threat analysts explained.

Ransomware operators have been using custom Linux versions of the Akira, Black Basta, Babuk, Lockbit, and other encryptors to encrypt VMware ESXi virtual machines, but leveraging ESXi vulnerabilities such as CVE-2024-37085 means easy encryption of multiple virtual machines in one fell swoop.

According to Microsoft's analysts, ransomware operators like Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest have been exploiting CVE-2024-37085 after gaining access to AD domain controllers by compromising credentials of domain administrators.

They would then create a group named "ESX Admins" in the domain and add a user to it, which automatically conferred to that user full administrative access on the ESXi hypervisor.

"This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier," Microsoft's researchers noted.


News URL

https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-06-25 CVE-2024-37085 Improper Authentication vulnerability in VMWare Cloud Foundation and Esxi
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
network
low complexity
vmware CWE-287
7.2

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591