Home
/
Blog

VMware ESXi: A Growing Target for Ransomware Attacks

August 6, 2024
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon

EXECUTIVE SUMMARY

Ransomware attacks targeting ESXi hypervisors have surged in the past year, with cybercriminals exploiting the widespread adoption of this technology. By compromising ESXi hosts, attackers can encrypt critical data, disrupt operations, and potentially pivot to other systems within the network. A notable vulnerability, CVE-2024-37085, has been exploited to grant attackers administrative access by simply adding users to the "ESX Admins" group. While VMware has addressed this flaw with a security update, organizations must prioritize patch management and secure privileged accounts to mitigate the risk of successful ransomware attacks.

This blog post presents analysis of various ransomware groups, as well as the details of the attack observed to exploit the vulnerabilities.

What is VMware ESXi?

VMware ESXi is a robust bare-metal hypervisor that serves as the foundation for many virtualized systems. It installs directly on physical server hardware, eliminating the requirement for an underlying operating system. ESXi separates the server's resources efficiently, resulting in segregated virtual machines (VMs) capable of running several operating systems and applications simultaneously. By transforming physical servers into virtual machines, ESXi assists organizations in optimizing hardware utilization, lowering energy usage, and improving IT efficiency. Its powerful design and outstanding capabilities make it a top choice for servers and cloud computing platforms throughout the world. 

Attack Pattern

According to Sygnia's research team, a consistent attack pattern in ransomware attacks targeting virtualization environments is as follows:

  1. Initial access: Threat actors usually gain initial access into the organizations through well-established methods, such as phishing campaigns, malicious file downloads, or exploiting publicly known vulnerabilities.
  2. Privilege escalation: Once inside the network, attackers try to escalate their privileges to gain control over the ESXi hosts or servers. This can be achieved through various methods such as manipulating domain group memberships, brute-forcing credentials, compromising IT personnel through RDP attacks, or exploiting vulnerabilities like ESXiArgs.
  3. Privilege verification: Once inside the virtualization infrastructure, attackers test their ability to interact with it. If direct access is blocked, they often resort to enabling SSH on all ESXi hosts through vCenter, potentially resetting passwords or deploying custom tools (like VIBs) for remote control. 
  4. Ransomware deployment within a virtual environment: Threat actors then use their access to connect to the ESXi servers and execute the ransomware on the ESXi hosts. 
  5. Backup encryption: To maximize their leverage, attackers often extend their attacks beyond the virtualized environment by targeting backup systems. By corrupting or deleting backup data and disabling access to backup systems, they significantly hinder recovery efforts, increasing the pressure on victims to pay the ransom. 
  6. Data exfiltration: Threat actors frequently employ double extortion tactics. They exfiltrate sensitive data to external storage like Mega.io, Dropbox. or their own servers. Holding this stolen data hostage alongside encrypted files, attackers threaten to leak it publicly, inflicting major reputational damage on the victim organization. 
  7. Ransomware execution: The attackers then disable all virtual machines and launch the ransomware to encrypt the critical '/vmfs/volumes' directory on the ESXi filesystem.
  8. Extended ransomware attack: Attackers who have compromised systems like SCCM or Active Directory can further spread ransomware to physical servers and workstations, expanding the attack's reach beyond the virtual environment.

Exploit Activity

According to Microsoft researchers[1], ransomware groups like Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest have been utilizing a technique that allows them to escalate privileges on ESXi hosts and deploy ransomware such as Akira and Black Basta.  

This action is performed using the net group command:

net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add

Additional investigation into the issue revealed that VMware ESXi hypervisors connected to an Active Directory domain by default grant full administrative access to any member of the domain group called “ESX Admins”. This group does not exist by default in Active Directory and is not a built-in group. When the server is connected, ESXi hypervisors do not verify if such a group is there. 

Microsoft researchers have observed three techniques to exploit this vulnerability:

Technique 1: Creating an "ESX Admins" group within the domain and assigning a user to it

This technique is actively exploited in the wild by the abovementioned threat actors. If the "ESX Admins" group doesn't exist, any domain user with group-creation permissions can elevate privileges to full administrative access to domain-joined ESXi hypervisors by creating a group and adding themselves or other users under their control to it. 

Technique 2: Renaming the name of any domain group to "ESX Admins" and adding a new user or utilizing an existing group member

An alternative attack method involves renaming an existing domain group to "ESX Admins" and then adding a user or leveraging an existing group member to gain elevated privileges. Unlike the previous method, this approach requires the attacker to have permission to modify group names.

Technique 3: ESXi hypervisor privileges refresh

Even if the designated management group for the ESXi hypervisor is changed, members of the "ESX Admins" group retain full administrative privileges until explicitly removed. This persistence offers a potential attack vector, though Microsoft has not observed its exploitation in the wild.

Successful exploitation of this vulnerability grants attackers' complete control over the ESXi hypervisor, enabling them to encrypt the host's file system, disrupting virtual machine operations.  Additionally, attackers can access and potentially exfiltrate data from hosted virtual machines or move laterally within the network.

Ransomware operators aiming at ESXi hypervisor

ESXi hypervisors offer several advantages to ransomware operators seeking to evade detection.

Leveraging CVE-2024-37085 vulnerability 

A North American engineering firm suffered a Black Basta ransomware attack in early 2024, orchestrated by the Storm-0506 threat actor group. Initiating with a Qakbot infection, the attackers exploited the CVE-2023-28252 vulnerability to escalate privileges, and subsequently employed Cobalt Strike and Pypykatz to steal credentials and access domain controllers.

Cobalt Strike is a commercial penetration testing tool that has been misused by cybercriminals as a command-and-control framework. Initially designed for legitimate security assessments, it offers a range of capabilities including lateral movement, data exfiltration, and command execution. 

Pypykatz is a Python version of Mimikatz, a sophisticated program that extracts plaintext passwords and hashes from Windows computers. It works by analyzing memory dumps or live system memory to extract crucial credentials. 

The threat actor deployed persistence mechanisms, including a custom tool and SystemBC, on compromised domain controllers. They attempted to spread laterally through brute-forcing RDP connections and installing additional Cobalt Strike and SystemBC instances. To evade detection, the actor tampered with Microsoft Defender Antivirus. Subsequently, the threat actor created the "ESX Admins" group and added a user account, escalating privileges on ESXi hypervisors and encrypting their file systems. This led to the unavailability of hosted virtual machines. The attack also targeted non-ESXi devices using PsExec, but these attempts were thwarted by Microsoft Defender Antivirus and automatic attack disruption capabilities.

This vulnerability was exploited in the wild by Storm-0506, Storm-1175, Octo Tempest, Black Basta, Babuk, Lockbit and Kuiper.

Figure representing attack chain employed by Storm-0506

Detection by Microsoft

Detection by Microsoft Defender for Endpoint

Key Microsoft Defender for Endpoint alerts indicative of this threat include suspicious modifications to the ESX Admins group. Additionally, alerts related to new group creation, suspicious account activity, and hands-on-keyboard attacks may also signal potential compromise. It's important to note that these alerts can be triggered by unrelated threats as well. 

Detection by Microsoft Defender for Identity

It can detect suspicious creation of the "ESX Admins" group. This alert signal potential malicious activity targeting ESXi hypervisors.

Conclusion 

Ransomware targeting ESXi servers poses a critical threat to organizations, capable of inflicting severe infrastructure damage and disrupting operations. These attacks often result in data encryption, operational downtime, and financial loss. A comprehensive understanding of these threats is essential to develop robust countermeasures and protect critical IT infrastructure.

References

  1. https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption
  2. https://knowledge.broadcom.com/external/article?legacyId=1025569
  3. https://core.vmware.com/vmware-vsphere-8-security-configuration-guide
  4. https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html
  5. https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
  6. https://blogs.vmware.com/security/2022/10/esxi-targeting-ransomware-tactics-and-techniques-part-2.html
  7. https://www.sygnia.co/blog/esxi-ransomware-attacks/?blaid=6088911https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking
  8. https://www.darkreading.com/cloud-security/agenda-ransomware-vmware-esxi-servers
  9. https://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/amp
  10. https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/amp
  11. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
  12. https://www.rapid7.com/blog/post/2024/07/30/vmware-esxi-cve-2024-37085-targeted-in-ransomware-campaigns
  13. https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks
  14. https://thehackernews.com/2024/07/vmware-esxi-flaw-exploited-by.html
  15. https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited
  16. https://cybersecuritynews.com/ransomware-attacks-targeting-vmware-esxi-infrastructure-adopt-new-pattern

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

BLOGS AND RESOURCES

Latest Articles

View all our articles →
RansomHub Revealed: Threats, Tools, and Tactics

December 9, 2024

The Rise of INTERLOCK Ransomware

November 13, 2024

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

October 23, 2024

Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy