A recently patched vulnerability in VMware ESXi hypervisors is being actively exploited by threat actors to gain access to target networks and deploy ransomware, a new report from Microsoft reveals.

The flaw (CVE-2024-37085) allows attackers to obtain full administrative permissions on domain-joined ESXi hypervisors.

ESXi is a bare-metal hypervisor installed directly onto a physical server, providing direct access and control over the underlying resources. Its widespread use in corporate environments makes it a prime target for cybercriminals. The hypervisors host virtual machines (VMs) that often include critical servers within a network.

In a ransomware attack, gaining full administrative access to an ESXi hypervisor can enable attackers to encrypt the hypervisor’s file system, and disrupt the hosted servers' functionality. Furthermore, attackers can access VMs, exfiltrate data, or move laterally across the network.

Microsoft’s security researchers discovered the flaw while investigating a new post-compromise technique used by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest. This technique has led to several ransomware deployments, including Akira and Black Basta.

Attackers utilize specific commands to create a group named “ESX Admins” in the domain and add a user to it. The ESXi hypervisors, when joined to an Active Directory domain, recognize any member of the “ESX Admins” group as having full administrative rights by default. This group is not built-in and does not exist by default, and ESXi hypervisors do not validate its existence. Consequently, any member of a group named “ESX Admins” gains full administrative access, irrespective of its origin or security identifier (SID), Microsoft explained.

The researchers identified three primary methods for exploiting the vulnerability: creating and adding to “ESX Admins” group, renaming an existing group, and refreshing ESXi hypervisor privileges.

In one instance, an engineering firm in North America was targeted by the Storm-0506 threat actor, who deployed Black Basta ransomware. The attackers exploited the CVE-2024-37085 vulnerability to gain elevated privileges on the firm's ESXi hypervisors. They initially accessed the organization via a Qakbot infection and leveraged the CVE-2023-28252 Windows CLFS vulnerability to escalate privileges on compromised devices.

Using Cobalt Strike and Pypykatz, the attackers stole credentials from two domain administrators and moved laterally to four domain controllers. On these domain controllers, they established persistence with custom tools and a SystemBC implant.

Additionally, they attempted to brute-force Remote Desktop Protocol (RDP) connections for further lateral movement, installing Cobalt Strike and SystemBC on additional devices. To evade detection, the attackers tampered with Microsoft Defender Antivirus using various tools.