A recently identified vulnerability in VMware ESXi hypervisors has been under active exploitation by several ransomware groups, raising significant concerns among cybersecurity experts. The flaw, detailed under CVE-2024-37085 and assigned a CVSS score of 6.8, enables attackers to bypass Active Directory integration authentication, thus granting them illicit administrative access to compromised hosts.
The nature of this vulnerability centers around the manipulation of Active Directory (AD) settings. According to a late June advisory from VMware, a malicious actor with sufficient AD permissions can regain full control of an ESXi host by re-establishing the default “ESXi Admins” group after it has been deleted from Active Directory. This means that merely recreating an AD group with the same name or repurposing another existing group allows an attacker to elevate privileges without the need for sophisticated hacking techniques.
Cybersecurity firm Microsoft has observed a rise in attacks leveraging this vulnerability, notably conducted by various ransomware operators, including the groups Storm-0506 and Storm-1175, linked to the deployment of Medusa ransomware. Following initial access—often through methods like QakBot malware—the attackers exploit this ESXi vulnerability to escalate permissions and deploy malicious tools such as Cobalt Strike and SystemBC for credential harvesting and lateral movement within networks.
For instance, Storm-0506 conducted a targeted attack against an engineering firm in North America, initially breaching the network via a QakBot infection and subsequently exploiting another vulnerability in the Windows Common Log File System Driver for privilege escalation. Once inside the network, the attackers utilized Cobalt Strike to facilitate further intrusions, employing advanced tools to harvest domain administrator credentials and gain widespread access.
Scott Caveza, a research engineer at Tenable, emphasized that successful exploitation of this vulnerability relies on the host’s configuration to use AD for user management. Attackers must also possess privileged access to the AD environment, making initial access pivotal. However, given the determination of ransomware groups, the barriers to exploiting this vulnerability are increasingly surmountable.
Moreover, cyber threat intelligence firm Mandiant reported the emergence of a financially motivated threat cluster, referred to as UNC4393, which is employing an evolving backdoor known as ZLoader for its operations. This signifies a strategic shift toward new infection vectors away from previously common methods like phishing, as well as a growing collaboration among various malicious actors to enhance the efficacy of their cyber campaigns.
The attack patterns often involve a combination of established tools for reconnaissance, utilizing Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocols for lateral movement within the compromised network. Persistence is typically achieved through implants like SystemBC, allowing attackers to maintain their foothold following the initial breach.
In light of these developments, organizations are urged to adopt robust cybersecurity practices, including timely software updates, credential management, and the implementation of two-factor authentication. By bolstering defenses, businesses can mitigate their risks against these increasingly sophisticated cyber threats. The necessity for proactive monitoring and backup solutions cannot be overstated, particularly as ransomware actors continuously seek to exploit newly disclosed vulnerabilities in their relentless pursuit of financial gain.
In summary, this vulnerability poses a significant threat to any organization relying on VMware ESXi hypervisors integrated with Active Directory. Cybersecurity measures aligned with the MITRE ATT&CK framework, particularly focusing on initial access, privilege escalation, persistence, and lateral movement tactics, will be critical in countering such threats.
