July 30, 2024 at 04:12PM
Ransomware groups are exploiting an authentication bypass bug (CVE-2024-37085) in VMware ESXi, giving them significant access and enabling rapid malware deployment. Broadcom has issued a fix. ESXi hypervisors inadvertently grant full administrative access to any AD domain group called “ESX Admins.” Hackers find hypervisors alluring due to their complexity and limited security protection.
Key takeaways from the meeting notes:
1. Multiple ransomware groups are leveraging an authentication bypass bug in VMware ESXi hypervisors to deploy malware across virtualized environments.
2. The bug, CVE-2024-37085, has been designated a “medium” 6.8 out of 10 score on the CVSS scale by VMware, primarily due to the requirement for attackers to have existing permissions in a target’s Active Directory (AD).
3. If attackers have AD access, they can exploit CVE-2024-37085 to escalate ESXi privileges, enabling ransomware deployment, data exfiltration, and lateral movement. Various ransomware groups have already attempted this, deploying malware such as Black Basta and Akira.
4. Broadcom has published a fix for the bug on its website.
5. ESXi hypervisors, when configured to use AD for user management, granted full administrative access to any member of an AD domain group named “ESX Admins,” creating a vulnerability.
6. Exploiting CVE-2024-37085 is relatively simple for attackers with sufficient privileges in AD. They can create or rename an “ESX Admins” group in the targeted domain and add a user to it to gain ESXi admin privileges.
7. Ransomware attacks targeting ESXi and VMs have become increasingly common since 2020, as enterprises have adopted digital transformation and modern hybrid cloud environments.
8. Hypervisors running multiple VMs provide an attractive target for ransomware attacks, as they allow for widespread deployment and often host critical services and business data.
9. Security products have limited visibility and protections for hypervisors, given their isolation and complexity, presenting challenges for monitoring and protecting the entire environment.
10. Microsoft emphasized the importance of staying updated with patches and practicing broader cyber hygiene around critical and vulnerable assets to mitigate the risk of ransomware attacks targeting hypervisors and VMs.