The BlackByte ransomware group, believed to be a spin-off from the infamous Conti group, has added a new exploit to its arsenal. Researchers at Cisco Talos Incident Response (IR) have observed the group exploiting a recently disclosed VMware ESXi vulnerability to gain control over virtual machines and escalate privileges within compromised environments.

The vulnerability, tracked as CVE-2024-37085, is an authentication bypass flaw in VMware ESXi that allows attackers to gain full administrative access to hypervisors. Discovered by , this vulnerability has become a key tool in BlackByte’s attacks. The group has been observed using it to escalate privileges after gaining initial access to a target environment.

According to Talos IR, once inside a compromised system, BlackByte managed to escalate its privileges by compromising two Domain Admin-level accounts. One of these accounts was used to access the organization’s VMware vCenter server. Shortly afterward, the attackers created Active Directory domain objects for individual VMware ESXi hypervisors, effectively joining those hosts to the domain. They then created and added several accounts to an Active Directory group labeled "ESX Admins," specifically designed to exploit CVE-2024-37085.

The vulnerability grants members of the "ESX Admins" group elevated privileges on an ESXi host, enabling them to control virtual machines, modify host server configurations, and access system logs, diagnostics, and performance monitoring tools.

In addition to exploiting CVE-2024-37085, the attackers used various protocols, including Server Message Block (SMB) and Remote Desktop Protocol (RDP), to access systems, directories, and files within the victim environments. Analysis of system event and authentication logs revealed that the attackers primarily used NT LAN Manager (NTLM) for authentication, a method that may indicate the use of pass-the-hash attacks for lateral movement within the network.

Further analysis of the ransomware binary revealed consistent use of NTLM authentication. BlackByte also tampered with security tool configurations by modifying system registries, manually uninstalling Endpoint Detection and Response (EDR) software from key systems, and, in one instance, changing the root password for the organization’s ESXi hosts.

Just before launching their file encryption payload, the attackers significantly increased NTLM authentication and SMB connection attempts across multiple systems in the victim’s environment. This activity was later identified as part of the ransomware’s self-propagating mechanism, Talos IR said.