overview

A critical authentication bypass vulnerability, tracked as CVE-2024-37085, affecting VMware ESXi hypervisors is being actively exploited by ransomware groups. This vulnerability, which affects Active Directory (AD) domain-joined ESXi instances, allows attackers to gain full administrative access to the hypervisors, leading to potential encryption of their file systems and access to hosted virtual machines (VMs). 

Attackers have been using this flaw to deploy ransomware by creating or renaming an AD group to "ESX Admins" and adding a user to it. This user then receives administrative privileges on the ESXi server, allowing full control over the hypervisor and its hosted VMs. 

Impacted Versions include:  

  • ESXi 7.0 and 8.0 
  • VMware Cloud Foundation 4.x and 5.x 
  • VMware has released a fix for ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2.  
  • A workaround is available for those unable to update to these versions. 

Ransomware operators, including Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest, have been exploiting this vulnerability to encrypt ESXi hypervisors and exfiltrate data from VMs. Full administrative access could allow attackers to not only encrypt the hypervisor's file system but also access and potentially exfiltrate sensitive data from hosted VMs. Avertium recommends that administrators upgrade VMware ESXi hypervisors as soon as possible.  

 

 

avertium's recommendationS

  • Administrators should upgrade to ESXi 8.0 Update 3 or VMware Cloud Foundation 5.2 as soon as possible.  
  • For systems that cannot be upgraded, apply the available workarounds. 
  • Regularly audit and monitor for any unauthorized changes or suspicious activities related to the "ESX Admins" group. 

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with CVE-2024-37085. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.     

 

TTPs TO MONITOR

Initial Access (Tactic ID: TA0001) 

  • Exploitation of Vulnerability (ID: T1190): Exploiting CVE-2024-37085 to gain initial access to VMware ESXi hypervisors by leveraging the authentication bypass flaw. 

 Execution (Tactic ID: TA0002) 

  • Command and Scripting Interpreter (ID: T1059): Using scripting languages or command-line interfaces to execute malicious code on the target system. 

Persistence (Tactic ID: TA0003) 

  • Create Account (ID: T1136): Creating a new domain group "ESX Admins" and adding a user to maintain persistent access with administrative privileges. 
  • Account Manipulation (ID: T1098): Modifying existing accounts to add them to the "ESX Admins" group for persistent access. 

Privilege Escalation (Tactic ID: TA0004) 

  • Abuse Elevation Control Mechanism (ID: T1548): Leveraging the "ESX Admins" group to escalate privileges and gain administrative access on the ESXi hypervisors. 

Defense Evasion (Tactic ID: TA0005) 

  • Masquerading (ID: T1036): Renaming legitimate groups to "ESX Admins" to avoid detection and gain administrative privileges. 

Credential Access (Tactic ID: TA0006) 

  • Credential Dumping (ID: T1003): Extracting credentials from domain controllers to gain initial access and further exploit the ESXi hypervisors. 

Lateral Movement (Tactic ID: TA0008) 

  • Lateral Tool Transfer (ID: T1570): Moving tools and scripts laterally within the network to exploit additional systems and hypervisors. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
 

If you have any questions on these findings or prefer to no longer be notified about this issue, please contact the Cyber Fusion Center by replying to this message, sending an email to cfc@avertium.com, or by calling 1-877-707-7997 (option 1).
 



 

SUPPORTING DOCUMENTATION

Support Content Notification - Support Portal - Broadcom support portal 

VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085) - Help Net Security 

VMware ESXi hypervisor vulnerability grants full admin privileges | CSO Online 

 
Chat With One of Our Experts



VMWare ESXI vulnerability VMWare vulnerability Flash Notice VMware Critical Vulnerability Blog