CVE-2024-37085: VMware ESXi Hypervisor Vulnerability Exploited by Ransomware Groups

Managed CSOC

Background

On Monday, July 29, Microsoft issued a comprehensive threat intelligence blog detailing the observed exploitation of CVE-2024-37085, an Active Directory integration authentication bypass vulnerability impacting Broadcom VMware ESXi hypervisors. According to Redmond, the vulnerability was discovered in zero-day attacks and has been utilized by at least half a dozen ransomware operations to get full administrative privileges on domain-joined ESXi hypervisors (allowing attackers to encrypt downstream file systems). CVE-2024-37085 was one of the vulnerabilities addressed in Broadcom’s June 25 advisory, and it appears to have been exploited as a zero-day vulnerability.

ESXi gives users direct access to underlying server resources and hosts critical virtual machines required for network operations. As a result, attackers who get administrative access using the vulnerability can cause substantial network damage.

CVE-2024-37085:

CVE-2024-37085 (CVSS: 6.8, Medium) is an authentication bypass vulnerability that allows attackers to exploit Active Directory integration in VMware ESXi hypervisors, potentially resulting in privilege escalation.

By creating an ESX Admins group in Active Directory, attackers can instantly grant a new user complete administrative capabilities on the ESXi hypervisor.

The ESX Admins group is not built-in and does not exist by default in Active Directory; yet, when joined to a domain, ESXi hypervisors do not verify the group’s existence, treating any members of such a group as having full administrative rights, even if the group was created maliciously.

Overall, the CVE-2024-37085 vulnerability, if exploited, gives attackers complete control over the hypervisor and the virtual machines it hosts.

Microsoft researchers found CVE-2024-37085 after it was utilized as a post-compromise attack mechanism by several ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. The attacks that Microsoft noticed involved the use of the following commands, which first create a group called “ESX Admins” in the domain and then add a user to that group:

 

Netgroup “ESX Admins” /domain /add

net group “ESX Admins” username/domain/add


Microsoft has found three techniques for exploiting CVE-2024-37085, including the in-the-wild technique detailed above:

  • Adding the “ESX Admins” group to the domain and adding a user to it (as seen in the wild): If the “ESX Admins” group does not exist, any domain user with group-creation permissions can elevate privileges to full administrative access to domain-joined ESXi hypervisors by creating a new group and adding themselves or other users under their control to it. 
  • Renaming any domain group to “ESX Admins” and adding or using an existing group member: This needs an attacker to have access to a user with the ability to rename arbitrary groups (for example, renaming one of them “ESX Admins”). The threat actor can then add a new user or use an existing user in the group to get full authority. 
  • ESXi hypervisor privileges refresh: Even if the network administrator designates another group in the domain as the ESXi hypervisor’s management group, members of the “ESX Admins” group retain full administrative privileges, which threat actors may exploit.

Ransomware targeting ESXi Hypervisors:

Microsoft has seen an increase in ransomware attacks on ESXi hypervisors over the last year. According to the IT giant, these hypervisors are enticing targets due to their low visibility and protection from many security technologies.

Encrypting an ESXi hypervisor file system enables attackers to carry out mass encryption with a single action, affecting all hosted virtual machines. This strategy gives attackers additional time and the possibility to move laterally and grab credentials across the network.

Ransomware groups Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been detected as supporting or selling ESXi encryptors such as Akira, Black Basta, Babuk, Lockbit, and Kuiper.

Detection:

Detects the execution of the “net.exe” command, which adds a group named “ESX Admins”. This could indicate an attempt to exploit CVE-2024-37085, which allows an attacker to get complete administrative access to a domain-joined ESXi hypervisor. VMware ESXi hypervisors that are linked to an Active Directory domain automatically grant full administrative access to any member of the domain group “ESX Admins”.

 

title: Potential Exploitation of CVE-2024-37085 – Suspicious Creation Of ESX Admins Group

id: c408acfe-2870-41df-8d2f-9f4daa4555ed

status: experimental

description: |

    Detects execution of the “net.exe” command to add a group named “ESX Admins”.

    This could indicate a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on a domain-joined ESXi hypervisor.

    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default.    

references:

    – https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

author: frack113

date: 2024/07/29

tags:

    – attack.execution

    – cve.2024.37085

    – detection.emerging_threats

logsource:

    category: process_creation

    product: windows

detection:

    selection_net_img:

        – Image|endswith:

              – ‘\net.exe’

              – ‘\net1.exe’

        – OriginalFileName:

              – ‘net.exe’

              – ‘net1.exe’

    selection_net_cmd:

        CommandLine|contains|all:

            – ‘/add’

            – ‘/domain’

            – ‘ESX Admins’

            – ‘group’

    selection_powershell_img:

        – Image|endswith:

              – ‘\PowerShell.exe’

              – ‘\pwsh.exe’

        – OriginalFileName:

              – ‘PowerShell.exe’

              – ‘pwsh.dll’

    selection_powershell_cli:

        CommandLine|contains|all:

            – ‘New-ADGroup’

            – ‘ESX Admins’

    condition: all of selection_net_* or all of selection_powershell_*

falsepositives:

    – Unknown

level: high

Mitigation:

The following products and versions are vulnerable to CVE-2024-37085:

  • VMware ESXi 8.0 (fixed in ESXi80U3-24022510)
  • VMware ESXi 7.0 (no patch planned)
  • VMware Cloud Foundation 5.x (fixed in 5.2)
  • VMware Cloud Foundation 4.x (no patch planned) 

If updating is not immediately feasible, you can use the following solutions to mitigate the issue:

  1. Change the ESXi advanced option Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false.

  2. Adjust the Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90.

  3. Set Config.HostAgent.plugins.hostsvc.esxAdminsGroup from “ESX Admins” to “”.

References

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment