Microsofthas recently flagged a severe security flaw, CVE-2024-37085, affectingBroadcom’s VMware ESXi hypervisors. This vulnerability, related to Active Directoryintegration, poses a significant threat by enabling ransomware groups to launchzero-day attacks, potentially gaining full administrative control overdomain-joined ESXi hypervisors.

Understanding CVE-2024-37085

CVE-2024-37085 is classified with a CVSS score of 6.8(Vmware),indicating a medium level of severity. It’s an authentication bypassvulnerability that exploits the Active Directory integration in VMware ESXihypervisors, leading to privilege escalation.

The crux of the issue lies in the creation of an ‘ESXAdmins’ group within Active Directory. This group isn’t a built-in feature anddoesn’t exist by default. However, once an ESXi hypervisor is domain-joined, itdoesn’t verify the group’s existence. Consequently, members of this group aregranted full administrative rights, even if it’s created by an attacker.

Exploitation Methods

Microsoft’s security researchers have identified threeprimary exploitation methods for CVE-2024-37085:

·      Creating the ESX Admins Group: Attackers cancreate this group in Active Directory and add a new user, granting them adminaccess to the ESXi hypervisor.

·      Renaming Existing Groups: By renaming any domaingroup to ESX Admins and adding users or existing members, attackers can gainadministrative privileges.

·      Persistent Admin Access: Assigning adminprivileges to other groups doesn’t remove them from the ESX Admins group,allowing continued unauthorized access.

Ransomware Threats to ESXi Hypervisors

Over the past year, there has been an alarming rise inransomware attacks targeting ESXi hypervisors. These hypervisors are attractivetargets due to their often limited visibility and protection from many securitysolutions.

Ransomware operators can encrypt the ESXi hypervisor filesystem, leading to widespread encryption of all hosted virtual machines in onefell swoop. This tactic provides attackers ample time and opportunity to movelaterally within the network, steal credentials, and further their attack.

Inearly 2024, a notable attack occurred when a North American engineering firmfell victim to a Black Basta ransomware attack orchestrated by Storm-0506. Theattackers exploited CVE-2024-37085 for privilege escalation. Initial access wasgained through a Qakbot infection, followed by leveraging a Windows CLFSvulnerability (CVE-2023-28252) for further privilege escalation.

Tools like Cobalt Strike and Pypykatz were used to steal domain administratorcredentials, allowing lateral movement to domain controllers. Persistentmechanisms were installed, and RDP connections were brute-forced. Subsequently,the attackers created the “ESX Admins” group, added a new user, and encryptedthe ESXi file system, disrupting all hosted virtual machines. They also employedPsExec to encrypt additional devices not directly on the ESXi hypervisor.

Recommendation

Microsoft advises organizations using domain-joined ESXihypervisors to implement VMware’s security update addressing CVE-2024-37085.Here are additional measures to enhance your network security:

1. Apply Software Updates

Update ESXi Hypervisors: Ensure all domain-joined ESXihypervisors receive the latest security patches from VMware. If immediateupdates aren't feasible, follow these steps to mitigate risks:

·      Verify Group Existence: Confirm that the “ESXAdmins” group is properly configured and hardened within your domain.

·      Deny Group Access: Adjust settings on the ESXihypervisor to manually deny access to the ESX Admins group. If you don't wantfull admin access granted to this group, disable this behavior using theadvanced host setting: Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd.

·      Change Admin Group: Alter the admin groupdesignation in the ESXi hypervisor.

·      Enhance Detection: Set up custom detections inyour XDR/SIEM for the new group name.

·      Monitor Logs: Configure ESXi logs to be sent toa SIEM system and monitor for any suspicious full administrative access.

2. Enhance Credential Security

Since attackers need control over highly privileged accountsto exploit vulnerabilities, strengthen the security of these accounts:

• Enforce MFA: Implement multifactor authentication (MFA) for all accounts. Ensure MFA is mandatory for all devices and locations. Remove any users who are exempt from MFA.
• Adopt Passwordless Authentication: Use passwordless methods such as Windows Hello, FIDO keys, or Microsoft Authenticator where possible. For accounts requiring passwords, use authenticator apps like Microsoft Authenticator for MFA. For more on authentication methods, refer to this article.
• Separate Privileged Accounts: Isolate privileged accounts from regular productivity accounts to safeguard administrative access. Follow best practices detailed in this article.

3. Fortify Critical Assets

Identify and protect critical assets like ESXi hypervisorsand vCenters with up-to-date security updates, robust monitoring, and effectivebackup and recovery plans. Additional information is available in this article.

4. Identify Vulnerabilities

Conduct authenticated scans of network devices using SNMPvia the Microsoft Defender portal to detect vulnerabilities in devices likeESXi and receive relevant security recommendations.

By following these guidelines, organizations can betterprotect their networks from potential exploits and ensure robust security fortheir ESXi hypervisors.

Stay Informed with Threat Intelligence Platform from CyberSRC Labs

Threat Intelligence Platform from CyberSRC Labs serviceprovides real-time monitoring of CVE and exploitation trends. With an extensivedatabase and advanced analytics, it helps track updates, identify exploits, andoffers actionable insights for proactive vulnerability management.

Stay vigilant and ensure your systems are protected againstemerging threats.