Hackers Exploiting ESXi Hypervisor Auth Bypass Flaw For Ransomware Attacks

Hackers prefer ransomware attacks primarily because they offer the highest chance of financial gain. By locking victims’ information systems and asking for payment to release them, ransomware attacks lock victims’ information systems and demand payment to unlock them.

Considering such a high level of risk, victims are pushed to make ransom payments as fast as possible to return their computers to operation quickly, consequently reducing business downtime. Together, these things make them an attractive and successful approach for threat actors.

Microsoft cybersecurity researchers recently discovered that hackers have been actively exploiting the ESXi Hypervisor auth bypass flaw to launch ransomware attacks.

Hackers Exploiting ESXi Hypervisor

The security flaw in the VMware ESXi hypervisors has been tracked as “CVE-2024-37085,” which Storm-0506 and Octo Tempest ransomware groups exploited.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This flaw enables hackers to gain complete control by manipulating a domain group called “ESX Admins”. Hackers can add or rename this group while bypassing proper checks.

Once attackers exploit the above vulnerability, they are able to hijack virtual machines’ file systems, encrypt them, steal data from these machines, and move within networks laterally.

This vulnerability affects domain-joined ESXi servers, potentially compromising entire virtualized infrastructures.

VMware has released a patch for it, and administrators are strongly recommended to apply it as soon as possible and review their extensive remediation and prevention guidance.

This will ensure effective protection against such advanced malware.

Ransomware actors have increasingly targeted the ESXi hypervisors over the past year, taking advantage of their lack of security visibility and capacity for mass encryption.

In the last three years, Microsoft has witnessed a doubling of ESXi-related incidents. In one case, Storm-0506 used Black Basta ransomware against a North American engineering firm.

The attack chain exploited CVE-2024-37085 on ESXi hypervisors, coupled with initial Qakbot infection and Windows CLFS vulnerability (CVE-2023-28252) exploitation. 

Threat actors used various tools like Cobalt Strike, Pypykatz, and SystemBC to steal credentials, move laterally, and maintain persistence.

Given the name “ESX Admins,” they did this in order to gain higher privileges, consequently, it led to the encryption of the ESXi file system and disruption of VMs on those systems.

While successful on ESXi systems, but some non-ESXi devices were protected from encryption by Microsoft Defender Antivirus and Defender for Endpoint’s automatic attack disruption capabilities.

This shows how essential comprehensive security measures are.

Mitigations

Here below we have mentioned all the mitigations:-

• Install software updates
• Credential hygiene
• Improve critical assets posture
• Identify vulnerable assets

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access