Exploitation of VMware ESXi Zero-Day Vulnerability (CVE-2024-37085) by Ransomware Groups
Ransomware operators have been exploiting a zero-day vulnerability, CVE-2024-37085, which allows authentication bypass on VMware ESXi hypervisors joined to Active Directory domains. This flaw gives attackers full administrative access to encrypt server file systems.
Broadcom released a patch for CVE-2024-37085 on June 25, 2024, crediting Microsoft researchers for the discovery. However, at the time of the release, it was not disclosed that this zero-day vulnerability was actively being exploited.
Details of the Exploit
Microsoft’s threat analysts explain that ESXi hypervisors host critical virtual machines (VMs) that are critical to network infrastructure and can be exploited by ransomware groups using encryptors like Akira, Black Basta, Babuk, and Lockbit. Groups such as Storm-0506 and Octo Tempest have exploited CVE-2024-37085 by compromising domain admin credentials, creating an “ESX Admins” group, and gaining full administrative rights.
This group isn’t a default in Active Directory, but ESXi servers grant full access to members of a group named “ESX Admins,” based on the name rather than a security identifier (SID). Renaming any group to “ESX Admins” achieves the same effect.
Affected Systems (all must be true)
- Windows Authentication has been previously enabled to sign into ESXi 7.0 or 8.0 VMWare hosts with your Active Directory password – not to be confused with using your Windows password to sign into vCenter, which is not affected.
- VMWare ESXi host(s) are joined to your Active Directory domain. Joining a VMWare host to your Active Directory is not a common practice and is not required to run domain-joined virtual machines.
- The attacker account is already in the Domain Administrators group, Account Operators group, or explicitly delegated group creation/change permissions
Recommended Actions
With administrative access, attackers can exfiltrate data from VMs before encryption. The vulnerability is fixed in ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2. Versions 7.0 and v4.x, respectively, have a workaround available since they will not have an update available. The workaround can also be applied to the newer versions before their software update. Admins should upgrade systems promptly and monitor for unauthorized changes to the ESX Admins group.
Xiologix Support
Customers can open a support ticket with us to determine if they’re impacted. You can reach us by emailing support@xiologix.com or calling (503) 691-4364 ext. 222. Xiologix Managed Services customers will be proactively addressed.
Learn More
To explore more about the vulnerability and its mitigation strategies, please refer to the following sources: