Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability
- Reference: 1722338169
- News link: https://www.theregister.co.uk/2024/07/30/make_me_admin_esxi_flaw/
- Source link:
CVE-2024-37085 only carries a 6.8 CVSS rating, but has been used as a post-compromise technique by many of the world's most high-profile ransomware groups and their affiliates, including Black Basta, Akira, Medusa, and Octo Tempest/Scattered Spider.
The vulnerability allows attackers who have the necessary privileges to create AD groups – which isn't necessarily an AD admin – to gain full control of an ESXi hypervisor.
[1]
This is bad for obvious reasons. Having unfettered access to all running VMs and critical hosted servers offers attackers the ability to steal data, move laterally across the victim's network, or just cause chaos by ending processes and encrypting the file system.
[2]
[3]
The "how" of the exploit is what caused such a stir in cyber circles. There are three ways of exploiting CVE-2024-37085, but the underlying logic flaw in ESXi enabling them is what's attracted so much attention.
Essentially, if an attacker was able to add an AD group called "ESX Admins," any user added to it would by default be considered an admin.
[4]
That's it. That's the exploit.
"This method is actively exploited in the wild by the abovementioned threat actors," Microsoft [5]warned last night . "In this method, if the 'ESX Admins' group doesn't exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group."
Another way of doing it would be to rename an existing AD group to the same "ESX Admins" name and add themselves to it. Boom – admin privileges. This method hasn't been used in practice, according to Microsoft, but it's equally as feasible to pull off.
[6]
The final method Microsoft described pertains more to how the logic flaw persists even if a network admin assigns another AD group to manage the hypervisor. As long as a group called "ESX Admins" exists, the admin privileges of the users added to it aren't immediately removed leaving them open for abuse.
Broadcom said in a [7]security advisory that it already issued a patch for CVE-2024-37085 on June 25, but only updated Cloud Foundation as recently as July 23, which is perhaps why Microsoft's report only just went live.
Jake Williams, VP of research and development at Hunter Strategy and IANS faculty member, was critical of Broadcom's approach to security, especially with regard to the severity it assigned the vulnerability.
He [8]said : "So you create an AD group 'ESX Admins' and by default, VMware is just like 'oh, so you're the admin now?'
"And then to make it dumber, VMware classifies this as a moderate severity, despite knowing ransomware TAs are actively using it?
"I can only conclude Broadcom is not serious about security. I don't know how you conclude anything else. Oh also, there are no patches planned for ESXi 7.0."
Many commentators have questioned why an organization would join their ESXi hosts to AD in the first place, despite it being a relatively common practice.
"Why are ESX servers joined with an active directory in the first place? Because it is convenient to manage admin access to servers using a centralized platform in large corporations," Dr Martin J Kraemer, security awareness advocate at KnowBe4, told The Register .
"This is very common but also creates challenges. In many environments, the AD itself might run on a VM. Cold boot can be a nightmare. A chicken and egg problem. How can you start ESX without AD while AD runs on ESX? Admins must think about this. A well-known challenge.
"The other reality is many platforms connected to AD and some of those synchronizing groups and credentials with the AD. Because some applications can be considered privileged sync-partners, e.g. Azure, there might also be a risk of that other platform (Azure) requiring lesser privileges for the same operation that AD would require higher privileges.
"If that happens to be the privilege to create a user group 'ESX Admins' which is then synchronized to AD and string-matched as a super admin group by ESX, you have the perfect combination. A great way in for attackers. One must make sure that privileges are properly matched between systems and their synchronization."
A gift for ransomware groups
Octo Tempest/ [9]Scattered Spider , Manatee Tempest/ [10]Evil Corp , Storm-0506/ [11]Black Basta , and Storm-1175 (which is a known user of [12]Medusa ransomware) are just some of the many groups using this post-exploitation technique in the wild.
[13]Secure Boot useless on hundreds of PCs from major vendors after key leak
[14]North Korean chap charged for attacks on US hospitals, military, NASA – and even China
[15]Beware of fake CrowdStrike domains pumping out Lumma infostealing malware
[16]Administrators have update lessons to learn from the CrowdStrike outage
Microsoft has seen [17]Akira , [18]Babuk , [19]LockBit , and Kuiper ransomware variants also deployed following the exploitation of ESXi hypervisors, which have become a hot target for financially motivated cybercriminals in recent years.
"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," it said.
Microsoft also said that ESXi hypervisors often fly further under the radar in security operations centers (SOCs) because security solutions often don't have the necessary visibility into ESXi, potentially allowing attackers to go undetected for longer periods of time.
Because of the destruction a successful ESXi attack could cause, attacks have risen sharply. In the past three years, the targeting of ESXi hypervisors has doubled.
Various ransomware-as-a-service (RaaS) groups have developed ESXi-specific variants of their payloads during that time, including [20]Play , Mallox, [21]Cheers , and [22]BlackSuit , which are just some of those who also capitalized on the trend.
Last year, the [23]ESXiArgs variant was running rampant for some time – a project seemingly dedicated only to targeting ESXi, rather than a brand extension of an existing RaaS group.
More recently, Microsoft detailed an attack it observed at a North American engineering company hit by Black Basta ransomware after the criminals exploited CVE-2024-37085.
They gained initial access through a [24]Qakbot infection before exploiting CVE-2023-28252, a Windows CLFS privilege escalation vulnerability. The Python version of the post-exploit toolkit Mimikatz, Pypykatz, was then used to steal the account credentials of domain controllers.
Attackers then took measures to establish persistent access before exploiting CVE-2024-37085 and encrypting the ESXi file system.
Microsoft recommends that all ESXi users install the available patches and scrub up their credential hygiene to prevent future attacks, as well as use a robust vulnerability scanner, if you don't already. ®
Get our [25]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqkOJud2hNwme6BLhQQ9JgAAAMI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqkOJud2hNwme6BLhQQ9JgAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqkOJud2hNwme6BLhQQ9JgAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqkOJud2hNwme6BLhQQ9JgAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqkOJud2hNwme6BLhQQ9JgAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
[8] https://infosec.exchange/@malwarejake/112871647569887688
[9] https://www.theregister.com/2024/07/16/scattered_spider_ransom/
[10] https://www.theregister.com/2022/06/03/evil-corp-ransomware-sanctions/
[11] https://www.theregister.com/2024/05/13/cisa_ascension_ransomware/
[12] https://www.theregister.com/2023/04/19/medusa_microsoft_data_dump/
[13] https://www.theregister.com/2024/07/29/infosec_roundup/
[14] https://www.theregister.com/2024/07/26/andariel_indictment_north_korea/
[15] https://www.theregister.com/2024/07/25/crowdstrike_lumma_infostealer/
[16] https://www.theregister.com/2024/07/23/crowdstrike_lessons_to_learn/
[17] https://www.theregister.com/2024/06/09/akira_the_next_big_thing/
[18] https://www.theregister.com/2024/01/09/babuk_tortilla_decryptor_arrests/
[19] https://www.theregister.com/2024/02/22/lockbit_dismantled_new_variant/
[20] https://www.theregister.com/2024/03/08/swiss_government_files_ransomware/
[21] https://www.theregister.com/2022/05/26/vmware-cheers-ransomware/
[22] https://www.theregister.com/2023/11/14/us_confirms_royalblacksuit_ransomware_ties/
[23] https://www.theregister.com/2023/02/08/esxiargs_ransomware_recovery_script/
[24] https://www.theregister.com/2023/12/19/qakbot_returns/
[25] https://whitepapers.theregister.com/
Re: A relief for Microsoft . . .
A potential solution to so many problems would be for Microsoft to hire a North Korean hacker, offering the hacker US residency and $200,000 a year once Microsoft is no longer having any hacking risks. That sounds expensive but imaging how happy we would all be if malware and user hacking was eliminated in the Microsoft operational user world.
Let's eliminate "Windows" (too easy to open) and move to a new "Lockedcastle" operating system.
by design
Noted someone in another forum dig up esx 4.1 guide(the last version of esx I was excited about), and saw this group setup is specifically how you would assign admin access, on that initial implementation of AD support.
For me, another nothing burger, as a Linux person, have never had my hosts connected to AD. I did run AD for a few years for vcenter 5, but once we switched it to 6.5, wemt with ldap auth against OpenLDAP which we used in Linux already(and killed the windows domain). ESXi hosts only using local auth. Almost never have to login directly to a host anyway, most things are done through vcenter.
A relief for Microsoft . . .
They're involved, but it's not their fault for once.
The comment about AD authorization being a chicken-and-egg problem is certainly well-known . . . to anyone who's ever had to recover any directory-joined environment. Obviously, one needs local credentials to bootstrap the VMware environment if the AD servers have gone down, and many orgs keep at least one physical domain controller around for just this reason.
Also, aren't KnowBe4 the ones who hired a North Korean hacker? Maybe they should get their own house in order before dispensing advice.