Summary
Microsoft researchers have uncovered a vulnerability in VMware ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on affected systems. Ransomware groups like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have exploited this flaw, designated CVE-2024-37085, deploying ransomware such as Akira and Black Basta. The issue was disclosed to VMware, which released a security update.
RH-ISAC Members who utilize VMware products in their environments are encouraged to review systems that currently utilize ESXi hypervisors, apply relevant patches when available and applicable and review the mitigations and detection queries Microsoft has provided below.
Background
ESXi is a bare-metal hypervisor that can control groups of network servers. CVE-2024-37085 allows attackers to create or manipulate a domain group named “ESX Admins,” granting them full administrative permissions on domain-joined ESXi hypervisors. ESXi hypervisors do not validate the existence of the “ESX Admins” group when joined to a domain, relying solely on group name matching for access control.
Three exploitation methods were identified by Microsoft, creating the “ESX Admins” group, renaming an existing group, or leveraging existing group privileges. Successful exploitation allows attackers to encrypt the hypervisor’s file system, affecting hosted virtual machines and enabling data exfiltration or lateral movement.
Mitigations
Microsoft recommends organizations that use domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. The following guidelines will also help organizations protect their network from attacks:
Install software updates: Make sure to install the latest security updates released by VMware on all domain-joined ESXi hypervisors. If installing software updates is not possible, you can use the following recommendations to reduce the risk:
- Validate the group “ESX Admins” exists in the domain and is hardened.
- Manually deny access by this group by changing settings in the ESXi hypervisor itself. If full admin access for the Active Directory ESX admins group is not desired, you can disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.
- Change the admin group to a different group in the ESXi hypervisor.
- Add custom detections in XDR/SIEM for the new group name.
- Configure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.
Credential hygiene: To utilize the different vulnerability methods, threat actors require control of a highly privileged user in the organization. Therefore, our recommendation is making sure to protect your highly privileged accounts in the organization, especially those that can manage other domain groups:
- Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, always.
- Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
- Isolate privileged accounts from productivity accounts to protect administrative access to the environment. Refer to this article to understand best practices.
Improve critical assets posture: Identify your critical assets in the network, such as ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and make sure to get them protected with latest security updates, proper monitoring procedures and backup and recovery plans. More information can be found in the following article.
Identify vulnerable assets: Deploy authenticated scans of network devices using SNMP via Microsoft Defender portal to identify vulnerabilities in network devices such as ESXi and receive security recommendation.
XDR Queries
Microsoft has also released the following Defender XDR queries to find related activity in their networks:
This query identifies ESXi hypervisors in the organization:
DeviceInfo
| where OSDistribution =~ “ESXi”
| summarize arg_max(Timestamp, *) by DeviceId
This query identifies ESX Admins group changes in the Active directory:
IdentityDirectoryEvents
| where Timestamp >= ago(30d)
| where AdditionalFields has (‘esx admins’)
The following queries are for assessing the already discovered ESXi with the Microsoft Defender Vulnerability Management information:
DeviceInfo
| where OSDistribution =~ “ESXi”
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId
DeviceInfo
| where OSDistribution =~ “ESXi”
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSecureConfigurationAssessment) on DeviceId