New Vulnerability in VMWare ESXi Exploited by Ransomware Actors (CVE-2024-37085)

Introduction

The Precursor Managed Detection & Response (MDR) team regularly triage intelligence from open sources, partners and vendors. Microsoft’s Threat Intelligence Research arm recently shared intel advising that domain-joined VMWare ESXi hypervisors were vulnerable to an authentication bypass vulnerability simply by being part of an AD group called “ESX Admins”.

The Precursor Managed Detection & Response (MDR) triaged this intelligence and produced multiple detection rules for existing customers.The MDR team also performed in-depth testing by emulating the malicious activity in a test environment and confirmed the following products detect this activity:

·      CrowdStrike Falcon EDR

·      CrowdStrike Falcon Identity Threat Detection

·      Microsoft Defender for Endpoint

·      Microsoft Defender for Identity

The MDR team have been working with organisations to confirm their patch status, presence of this group in their Active Directory, evidence of prior compromise and guidance on further hardening recommendations.

This activity has been known to lead to deployment of Akira and Black Basta ransomware.

How the Exploit Works & Technical Analysis

The exploitation of this vulnerability works by ensuring that the attacker is in an active directory environment where VMWare ESXi servers are present and domain-joined. The threat actor then elevated their privileges to full administrative control by making themselves a member of the security-enabled group known as “ESX Admins”. Microsoft shared the two following commands observed which were executed on a beachhead host:

·       netgroup “ESX Admins” /domain /add

·       netgroup “ESX Admins” username /domain /add

One key nuance is that this group can be obtained by creating the group or renaming an existing AD group and the membership in the group is determined by name and not by security identifier (SID).

If the attacker is able to exploit this vulnerability, they’d be in a position to takeover your ESXi Hypervisor(s) and any subsequent guest virtual machines (typically virtualised server estate) for encryption and data exfiltration.

Developing & Testing Detections

The Precursor MDR team operate a true 24x7 service, therefore this intelligence was triaged overnight by the team and turned into detection rules that protect our customers across the UK, EMEA and other regions.

We first gathered initial assurance by testing popular EDR vendors CrowdStrike Falcon and Microsoft Defender, both of which detected/blocked this activity. It should be noted that this activity can occur on hosts that don’t have EDR on (it’s common to see organisations suffer from a partial EDR deployment). The Precursor MDR team overcome this by deploying our own agent to hosts and collecting telemetry into our SIEM solution.

Multiple custom detections were created to bolster organisations posture and resilience towards this vulnerability. In summary:

·      We have 5+ custom SIEM detections that cover this activity.

·      Microsoft Defender for Endpoint & Identity detects this activity.

·      CrowdStrike Falcon EDR & Identity ThreatDetection detects this activity.

Further Guidance

Monitor for AD group creation/modification

It is recommended to log and monitor evidence of group creation/modification across your Active Directory, specifically groups where administrative-level permissions can manifest, either through default groups or vulnerabilities like this.

Ensure 100% EDR coverage

Review which hosts – especially critical hosts – that don’t have EDR on with a correct configuration loaded.

Test Detections and EDR

Where possible; validate your EDR blocks the latest threatactivity in a test environment and consider plugging gaps with substituting detections and mitigations.

Patch Management of Mission Critical Infrastructure

Track and review patch management performance of your mission critical infrastructure.

References

Support Content Notification - Support Portal - Broadcom support portal

‍