Ransomware attacks targeting ESXi hypervisors have surged in the past year, with cybercriminals exploiting the widespread adoption of this technology. By compromising ESXi hosts, attackers can encrypt critical data, disrupt operations, and potentially pivot to other systems within the network. A notable vulnerability, CVE-2024-37085, has been exploited to grant attackers administrative access by simply adding users to the "ESX Admins" group. While VMware has addressed this flaw with a security update, organizations must prioritize patch management and secure privileged accounts to mitigate the risk of successful ransomware attacks.
This blog post presents analysis of various ransomware groups, as well as the details of the attack observed to exploit the vulnerabilities.
VMware ESXi is a robust bare-metal hypervisor that serves as the foundation for many virtualized systems. It installs directly on physical server hardware, eliminating the requirement for an underlying operating system. ESXi separates the server's resources efficiently, resulting in segregated virtual machines (VMs) capable of running several operating systems and applications simultaneously. By transforming physical servers into virtual machines, ESXi assists organizations in optimizing hardware utilization, lowering energy usage, and improving IT efficiency. Its powerful design and outstanding capabilities make it a top choice for servers and cloud computing platforms throughout the world.
According to Sygnia's research team, a consistent attack pattern in ransomware attacks targeting virtualization environments is as follows:
According to Microsoft researchers[1], ransomware groups like Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest have been utilizing a technique that allows them to escalate privileges on ESXi hosts and deploy ransomware such as Akira and Black Basta.
This action is performed using the net group command:
net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add
Additional investigation into the issue revealed that VMware ESXi hypervisors connected to an Active Directory domain by default grant full administrative access to any member of the domain group called “ESX Admins”. This group does not exist by default in Active Directory and is not a built-in group. When the server is connected, ESXi hypervisors do not verify if such a group is there.
Microsoft researchers have observed three techniques to exploit this vulnerability:
This technique is actively exploited in the wild by the abovementioned threat actors. If the "ESX Admins" group doesn't exist, any domain user with group-creation permissions can elevate privileges to full administrative access to domain-joined ESXi hypervisors by creating a group and adding themselves or other users under their control to it.
An alternative attack method involves renaming an existing domain group to "ESX Admins" and then adding a user or leveraging an existing group member to gain elevated privileges. Unlike the previous method, this approach requires the attacker to have permission to modify group names.
Even if the designated management group for the ESXi hypervisor is changed, members of the "ESX Admins" group retain full administrative privileges until explicitly removed. This persistence offers a potential attack vector, though Microsoft has not observed its exploitation in the wild.
Successful exploitation of this vulnerability grants attackers' complete control over the ESXi hypervisor, enabling them to encrypt the host's file system, disrupting virtual machine operations. Additionally, attackers can access and potentially exfiltrate data from hosted virtual machines or move laterally within the network.
ESXi hypervisors offer several advantages to ransomware operators seeking to evade detection.
A North American engineering firm suffered a Black Basta ransomware attack in early 2024, orchestrated by the Storm-0506 threat actor group. Initiating with a Qakbot infection, the attackers exploited the CVE-2023-28252 vulnerability to escalate privileges, and subsequently employed Cobalt Strike and Pypykatz to steal credentials and access domain controllers.
Cobalt Strike is a commercial penetration testing tool that has been misused by cybercriminals as a command-and-control framework. Initially designed for legitimate security assessments, it offers a range of capabilities including lateral movement, data exfiltration, and command execution.
Pypykatz is a Python version of Mimikatz, a sophisticated program that extracts plaintext passwords and hashes from Windows computers. It works by analyzing memory dumps or live system memory to extract crucial credentials.
The threat actor deployed persistence mechanisms, including a custom tool and SystemBC, on compromised domain controllers. They attempted to spread laterally through brute-forcing RDP connections and installing additional Cobalt Strike and SystemBC instances. To evade detection, the actor tampered with Microsoft Defender Antivirus. Subsequently, the threat actor created the "ESX Admins" group and added a user account, escalating privileges on ESXi hypervisors and encrypting their file systems. This led to the unavailability of hosted virtual machines. The attack also targeted non-ESXi devices using PsExec, but these attempts were thwarted by Microsoft Defender Antivirus and automatic attack disruption capabilities.
This vulnerability was exploited in the wild by Storm-0506, Storm-1175, Octo Tempest, Black Basta, Babuk, Lockbit and Kuiper.
Key Microsoft Defender for Endpoint alerts indicative of this threat include suspicious modifications to the ESX Admins group. Additionally, alerts related to new group creation, suspicious account activity, and hands-on-keyboard attacks may also signal potential compromise. It's important to note that these alerts can be triggered by unrelated threats as well.
It can detect suspicious creation of the "ESX Admins" group. This alert signal potential malicious activity targeting ESXi hypervisors.
Ransomware targeting ESXi servers poses a critical threat to organizations, capable of inflicting severe infrastructure damage and disrupting operations. These attacks often result in data encryption, operational downtime, and financial loss. A comprehensive understanding of these threats is essential to develop robust countermeasures and protect critical IT infrastructure.
IN-HOUSE EXPERTISE
Get practical solutions to real-world challenges, straight from experts who conquered them.
View all our articles