Cybersecurity Threat Advisory: VMware ESXi flaw exploited by ransomware group

A VMware ESXi vulnerability, known as CVE-2024-37085, has been discovered and it is actively exploited by several ransomware groups. Review this Cybersecurity Threat Advisory to learn how to limit the impact of this flaw.

What is the threat?

CVE-2024-37085 is an Active Directory (AD) integration authentication bypass vulnerability that, when successfully exploited, gives an attacker full administrative access to the ESXi hypervisor by default without any further validation. It adds new users to the “ESX Admins” domain group. This group does not exist by default but becomes available once you gain higher privileges on the ESXi hypervisor, which then automatically grants full privileges to users added to it, leaving businesses exposed.

Why is it noteworthy?

CVE-2024-37085 was discovered by multiple hacker groups and are using three different methods to exploit the flaw. The three different methods are:

• Adding “ESX Admins” to the domain and adding a user to it
• Renaming any group in the domain to “ESX Admins” and then adding a user either new or existing
• ESXi hypervisor privilege refresh so that full admin privilege is not immediately removed in order for the threat actors to abuse it

What is the exposure or risk?

CVE-2024-37085 affects the following products and versions:

• VMware ESXi 8.0
• VMware ESXi 7.0
• VMware Cloud Foundation 5.x
• VMware Cloud Foundation 4.x

Upon gaining access, ransomware groups can steal sensitive data, move through victims’ networks, and encrypt the ESXi hypervisor’s file system, leading to disruption of business operations.

What are the recommendations?

Barracuda recommends the following actions to limit the impact of CVE-2024-37085:

• Apply available updates to the affected device at your earliest availability
• Enforce password cyber hygiene by protecting highly privileged accounts with multifactor authentication (MFA) or isolate privileged accounts to prevent access
• Ensure affected ESXi servers are not exposed to public internet

References

For more in-depth information on the above recommendations, please visit the following links:

• https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns/?utm_source=marketo&utm_medium=email&utm_campaign=global-pla-etr-vmware-esxi-blog-customer-eng&mkt_tok=NDExLU5BSy05NzAAAAGUovD2zM1hU8ZXtTyo7IMM28jgeH0yp-IE6ywZw5x5QE0m85TAddbBb2rnQllZQK9arxGv1GLn0Lai7c2t0BPisvt1_maWOpRcxs4ud25bFzx428U
• https://cybernews.com/security/ransomware-gangs-exploit-dangerous-vmware-vulnerability/
• https://www.scmagazine.com/news/vmware-esxi-servers-targeted-by-akira-blackbasta-ransomware-groups
• https://www.bleepingcomputer.com/news/security/cisa-warns-of-vmware-esxi-bug-exploited-in-ransomware-attacks/

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.