Ransomware Operators Exploit VMware ESXi Zero-Day Authentication Bypass
Overview
Ransomware operators have been exploiting CVE-2024-37085, a critical authentication bypass vulnerability in VMware ESXi hypervisors integrated with Active Directory. This vulnerability grants attackers full administrative access, allowing them to encrypt the file systems of affected virtual machines.
The Vulnerability
CVE-2024-37085 is an authentication bypass vulnerability that affects VMware ESXi hypervisors joined to an Active Directory domain. By creating a group named "ESX Admins" in the domain and adding a user to it, attackers gain full administrative access to the hypervisor. This group does not exist by default in Active Directory, and ESXi hypervisors do not validate its existence when joined to a domain. As a result, any member of this group is granted full administrative privileges.
Exploitation Details
Microsoft's threat analysts have identified several ransomware operators, including Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest, exploiting CVE-2024-37085. These attackers typically gain access to Active Directory (AD) domain controllers by compromising the credentials of domain administrators. They then create the "ESX Admins" group and add a user to it, thereby obtaining administrative control over the ESXi hypervisor.
Ransomware operators have been using customized Linux versions of ransomware encryptors such as Akira, Black Basta, Babuk, and Lockbit to encrypt VMware ESXi virtual machines. By leveraging CVE-2024-37085, they can easily encrypt multiple virtual machines in one go, causing widespread disruption.
Impact
Full administrative access to ESXi hypervisors allows attackers to:
- Encrypt the file system of the hypervisor.
- Access and exfiltrate data from hosted virtual machines.
- Cause significant operational and financial damage to affected organizations.
Mitigation and Fixes
Broadcom, the owner of VMware, released a fix for CVE-2024-37085 on June 25, 2024, crediting Microsoft researchers for identifying the vulnerability. The fix is included in ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2. However, the vulnerability will not be fixed in ESXi 7.0 and VMware Cloud Foundation v4.x, although a workaround is available.
Recommendations:
- Administrators should upgrade their installations to the latest version as soon as possible.
- Check for any suspicious modifications or the unsanctioned creation of the "ESX Admins" group in Active Directory.
- Monitor Active Directory for any unexpected changes in group memberships and privilege assignments.
Conclusion
The active exploitation of CVE-2024-37085 highlights the critical need for organizations to stay vigilant and promptly apply security updates. By addressing vulnerabilities and monitoring their systems for unusual activity, administrators can help protect their virtual environments from ransomware attacks
Source: Vmware
No comments:
Post a Comment