Alert essentials:
Many threat groups use this vulnerability as a post-compromise technique to create Active Directory groups on domain-joined ESXi hypervisors.
Install an upgrade or mitigate immediately.
Detailed threat description:
At least six different ransomware groups are exploiting an Active Directory (AD) integration authentication bypass in VMware ESXi hypervisors. If an ESXi host is joined to an AD domain controller, hackers create a new group with administrative access and add themselves.
Accounts called “ESX Admins” is not a group that exists by default in AD. However, if joined to the domain, the server will provide full administrative access to this group.
Originally a zero-day, the vulnerability leads to lateral movement and deployment of malware that encrypts files.
A version upgrade is available for remediation of ESXi version 8 and VMware Cloud Foundations version 5. There is no patch planned for version 7 or older ESXi or Cloud Foundation versions 4.x or older. A proposed mitigation involves modifying certain advanced ESXi settings. Detailed instructions are available through the links provided below.
Financially motivated threat groups frequently target VMware servers due to their widespread use. To protect against these and other large-scale attacks, ensure security patches are up to date, minimize the number of open ESXi firewall ports, and consider enabling ESXi Lockdown mode.
Impacts on healthcare organizations:
Healthcare providers store vast amounts of sensitive patient data, which is often shared through interconnected and interoperable networking. A successful cyber attack not only disrupts the use of lifesaving technology but can also lead to data theft, exposing patients to identity theft and financial fraud.
Affected products / versions:
VMware Cloud Foundation
VMware vCenter Server
VMware vSphere ESXi
CVEs
CVE-2024-37085
CVE-2024-37086
CVE-2024-37087
Recommendations
Engineering recommendations:
- Immediately deploy patches to any vulnerable systems
- Consider adding the ‘ESX Admins’ group to the domain and add a user
- Utilize multifactor authentication (MFA) on all accounts
- Adopt comprehensive security practices for all virtual environments
- Store encrypted backups in a separate system or network
Engineering recommendations:
- Employ security standards and benchmarking frameworks to ensure properly secured configurations
- Develop incident response plans and be prepared in the event technology resources are not available for operations
- Consider developing or updating your change control policy to include provisions for emergency or expedited change control processes in situations like this
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Lockdown Mode: https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-88B24613-E8F9-40D2-B838-225F5FF480FF.html#GUID-88B24613-E8F9-40D2-B838-225F5FF480FF
- Mitigation: https://knowledge.broadcom.com/external/article/369707/
- Upgrades: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
- Microsoft blog: https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
