A recently patched security flaw affecting VMware ESXi hypervisors is being actively exploited by “multiple” ransomware groups to escalate privileges and deploy file-encrypting malware.
The attack involves exploiting CVE-2024-37085 (CVSS score: 6.8), an Active Directory Integrated Authentication Bypass that allows attackers to gain administrative access to the host.
“A malicious actor with sufficient Active Directory (AD) privileges could gain full access to an ESXi host previously configured to use AD for user management by re-creating a configured AD group (‘ESXi Admins’ by default) after it had been removed from AD,” VMware, which is owned by Broadcom, said in an advisory released in late June 2024.
This means that elevating privileges in ESXi to administrator is as simple as creating a new AD group called “ESX Admins” and adding any user to it, or renaming any group in the domain to “ESX Admins” and adding the user to the group, or using existing group members.
In new analysis published July 29, Microsoft said it has observed ransomware actors, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, using post-compromise techniques to deploy Akira and Black Basta.
“By default, VMware ESXi hypervisors that are joined to an Active Directory domain assume that members of a domain group called ‘ESX Admins’ have full administrative access,” said researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan and Vaibhav Deshmukh.
“This group is not a built-in group in Active Directory and does not exist by default. The ESXi hypervisor does not validate the existence of such a group when a server is joined to a domain, and treats members of a group with this name with full administrative access rights even if the group did not exist to begin with.”
In one attack launched by Storm-0506 against an unnamed engineering company in North America, the threat actor used a QakBot infection to gain an initial foothold, exploited another flaw in the Windows Common Log File System (CLFS) driver (CVE-2023-28252, CVSS score: 7.8) to escalate privileges, and then weaponized the vulnerability to escalate privileges to the ESXi hypervisor.
This was followed by a phase where Cobalt Strike and Pypykatz (a Python version of Mimikatz) were deployed to steal domain administrator credentials and move laterally through the network, before dropping the SystemBC implant to gain persistence and exploit ESXi administrator access to deploy Black Basta.
“The attackers were also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as an alternative method of lateral movement, before again attempting to install Cobalt Strike and SystemBC,” the researchers said. “The attackers then attempted to tamper with Microsoft Defender Antivirus using various tools to evade detection.”
The development comes after Google-owned Mandiant revealed that a financially motivated threat cluster known as UNC4393 was using initial access gained via a C/C++ backdoor codenamed ZLoader (also known as DELoader, Terdot, or Silent Night) to distribute Black Basta, offshoots of QakBot and DarkGate.
“UNC4393 has demonstrated a willingness to collaborate with multiple delivery clusters to achieve its objectives,” the threat intelligence firm said. “Silent Night’s recent surge in activity, which began earlier this year, has been primarily conducted via malvertising, marking a significant shift away from phishing, which was UNC4393’s only known means of gaining initial access.”
The attack sequence includes using initial access to drop a Cobalt Strike Beacon, performing reconnaissance using a combination of custom and off-the-shelf tools, and utilizing RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved via SystemBC.
ZLoader, which resurfaced late last year after a long hiatus, is under active development and recent findings from Walmart’s cyber intelligence team indicate that a new variant of the malware is being spread via a PowerShell backdoor called PowerDash.
Over the past few years, ransomware attackers have shown a tendency to jump at new techniques to maximize their impact and avoid detection, increasingly targeting ESXi hypervisors and exploiting newly discovered security flaws in internet-facing servers to compromise their targets.
For example, Qilin (aka Agenda) was originally developed in the Go programming language but has since been redeveloped using Rust, signaling a shift towards building malware using memory-safe languages. Recent ransomware attacks have been found to exploit known vulnerabilities in Fortinet and Veeam Backup & Replication software for initial access.
“Qilin ransomware is capable of self-propagating on local networks,” Group-IB said in a recent analysis, adding that it also has the ability to “perform self-distribution using VMware vCenter.”
Another notable piece of malware used in Qilin ransomware attacks is a tool called Killer Ultra, which is designed to disable common endpoint detection and response (EDR) software running on infected hosts and clear all Windows event logs to remove any indicators of compromise.
Organisations are advised to install the latest software updates, practice credential hygiene, enforce two-factor authentication and take steps to protect critical assets with proper monitoring procedures and backup and recovery plans.