Storm-0506 and Other Threat Actors Leverage ESXi Flaw for Ransomware Deployment

The exploitation of a vulnerability in VMware ESXi hypervisors, allowing threat actors to obtain full administrative permissions on domain-joined ESXi hypervisors, has been reported by Microsoft researchers. This authentication bypass vulnerability, exploited by threat actors Microsoft tracks as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest (aka Evil Corp, Indrik Spider), can lead to the deployment of ransomware variants like Akira and Black Basta. The vulnerability is particularly severe as it enables attackers to create a new user with administrative privileges by manipulating domain group settings, which could result in the encryption of the ESXi hypervisor file system and potentially impact hosted virtual machines. On July 30, 2024, CISA added this vulnerability to its Known Exploited Vulnerability Catalog, emphasizing its critical nature.

The risk posed by the vulnerability is emphasized by Microsoft, explaining, "the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treat any members of a group with this name with full administrative access, even if the group did not originally exist."

Threat actors exploiting CVE-2024-37085, Microsoft has observed, use three distinct methods to gain administrative access to ESXi hypervisors. These include adding the “ESX Admins” group to the domain and adding a user to it, renaming any group in the domain to “ESX Admins” and adding a user, or utilizing existing group members. Another method involves refreshing ESXi hypervisor privileges, which may not immediately remove administrative privileges from the “ESX Admins” group even if changes are made to group settings. These techniques enable attackers to elevate their privileges and perform malicious activities such as encrypting the hypervisor’s file system, accessing hosted VMs, and moving laterally within the network.

In an intrusion, the threat actor group Storm-0506 exploited this vulnerability to deploy Black Basta ransomware at a North American engineering firm. The attackers initially gained access through a QakBot infection and used a Windows CLFS vulnerability (CVE-2023-28252) to escalate privileges. They deployed Cobalt Strike and Pypykatz for command and control (C2) and to gather credentials. SystemBC malware was used to establish persistence, and the attackers attempted brute force RDP connections for further lateral movement. After creating the “ESX Admins” group and adding a new user, they encrypted the ESXi file system, impacting the functionality of hosted VMs.

To mitigate the risk posed by CVE-2024-37085, Microsoft recommends that organizations apply the security updates released by VMware. Additional protective measures include validating and hardening the “ESX Admins” group, manually denying access by this group on the ESXi hypervisor, and changing the admin group to a different name. Organizations should also enforce multifactor authentication (MFA), enable passwordless authentication methods, and isolate privileged accounts from productivity accounts. Given the popularity of the technology, a large population is at risk for threat actors to impact, as evidenced by the sale of ESXi unauthenticated shells on the dark web along with ESXi-flavored ransomware encryptors. Monitoring, configuring detections, and following guidance offered in intelligence reports is crucial in protecting against such exploits.