Cloud Security , Fraud Management & Cybercrime , Ransomware
Ransomware Gangs Exploit VMware ESXi Flaw
Bug Allows Attackers to Add New Users to a Group With Full Admin PrivilegesRansomware hackers discovered a way to gain full administrative privileges on VMWare ESXi hypervisors connected to Microsoft's Active Directory, a finding that resulted in extortion demands from cybercriminals.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
The vulnerability, tracked as CVE-2024-37085, allows hackers with access to Active Directory to create a group named "ESX Admins" that, by default, has administrative privileges. ESXi is a bare-metal hypervisor for creating and running hypervisors.
"Membership in the group is determined by name and not by security identifier," the tech giant disclosed Monday. VMware rated the vulnerability between 5.3 and 6.8 on the 10-point CVSS scale and released patches and workaround advice.
Ransomware operators such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest are exploiting the vulnerability to deploy ransomware variants, including Black Basta and Akira.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default, without validating the existence of such a group.
In a notable incident, Storm-0506 deployed Black Basta earlier this year. Financially motivated hackers compromised an engineering firm in North America by using the vulnerability to elevate ESXi privileges.
Attackers gained initial access through a Qakbot infection and exploited a Windows CLFS vulnerability tracked as CVE-2023-28252 to escalate privileges on affected devices.
They used tools such as Cobalt Strike and Pypykatz to steal domain administrator credentials and move laterally across the network.
After compromising the domain controllers, the attackers created the "ESX Admins" group and added a new user to it, which ultimately led to the encryption of the ESXi file system and the disruption of the hosted VMs.
"These financially motivated groups are quick to encrypt or lock as many hosts as possible, maximizing the impact to a victim organization in hopes of a handsome ransom payment," said Scott Caveza, a staff research engineer at Tenable. "Despite this significant barrier to entry, we cannot underestimate ransomware groups' abilities and determination to escalate privileges and advance their attack path once they obtain initial access."