In late July, researchers at Microsoft reported on an authentication bypass vulnerability in VMware ESXi that is being exploited by several ransomware groups, including Black Basta and Akira. The vulnerability, identified as CVE-2024-37085, allows a threat actor to create a group named “ESX Admins” on the Active Directory domain and add users to it. By default, any member of the group has full administrative access. With the vulnerability being actively exploited, it is recommended that organizations with domain-joined ESXi hypervisors install the update VMware released on their website to fix the issue.
What’s New and Notable
- CVE-2024-37085 can be exploited in several ways, either by adding an “ESX Admins” group to the domain and adding users to it or simply by renaming any group in the domain to “ESX Admins.”
- Microsoft researchers observed threat actors earlier this year gaining initial access to a victim and then creating an “ESX Admins” group to encrypt the hosted virtual machines on the ESXi hypervisor with Black Basta ransomware.
- In addition to installing VMware’s security update to fix the CVE-2024-37085 vulnerability, researchers also recommend users protect their privileged accounts from unauthorized users, identify any critical assets and potential vulnerabilities in their network, and maintain adequate monitoring, backups, and recovery plans.
Analyst Comments
VMware’s ESXi is a popular product used by thousands of organizations worldwide for virtualizing servers, which often host critical applications, data, and backups. As such, threat actors have increasingly targeted ESXi in recent years, with several threat groups deploying dedicated Linux encryptors for ESXi virtual machines. The latest vulnerability allows threat actors to gain privilege escalation, move laterally throughout the network, steal data, or deploy malicious payloads. Given this threat, organizations with domain-joined ESXi hypervisors should apply the available update provided by VMware. In addition to the software update and risk mitigation recommendations provided by researchers, organizations should also monitor their networks for signs of compromise and consider additional security measures to protect against vulnerabilities in the future.
Sources
- Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
- Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks
- NVD: CVE-2024-37085 Detail
- VMSA-2024-0013:VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087)
Related Resources
![]()
Interlock: An Emerging Ransomware Threat
An analysis of the Interlock ransomware group, their tactics, and their impact across various industries.
Read more![]()
Malware Spotlight: Akira Ransomware
Arete has responded to over one hundred incidents attributed to the Akira ransomware group. This spotlight explores Akira’s observed behavior, statistics from Incident Response engagements, and a technical analysis of Akira’s ransomware executable.
Read more![]()
Black Basta Leverages New Social Engineering Technique
Black Basta, a ransomware group active since at least April 2022, is deploying a new social engineering tactic using Microsoft Teams in an active campaign.
Read more
