Cybersecurity Threat Advisory: VMware ESXi vulnerability exploited by BlackByte ransomware

What is the threat?

Attackers can bypass authentication on VMware ESXi systems integrated with an Active Directory (AD) domain using CVE-2024-37085, which grants them full administrative access. The vulnerability lies in how the ESXi server handles this response from the AD domain controller. Attackers can exploit this flaw by intercepting and manipulating the authentication traffic between the ESXi server and the domain controller. To achieve this, attackers forge a response to trick the ESXi server into believing that the user attempting to log in has been authenticated, even though the user has not provided valid credentials. This forged response can include information that grants the attacker administrative privileges on the ESXi server.

The attacker is granted full administrative access to the hypervisor once the ESXi server accepts the forged response. This level of access allows the attacker to control all aspects of the virtualized environment, including creating, modifying, or deleting virtual machines, and altering the configuration of the hypervisor itself. With administrative control, the attacker can deploy ransomware across all virtual machines hosted on the compromised ESXi servers. The ransomware can be executed via scripts or direct commands, leading to the encryption of data on each virtual machine. Once the encryption is complete, the attacker typically demands a ransom payment in exchange for the decryption keys.

Why is it noteworthy?

The ability for attackers to gain administrative access without valid credentials significantly escalates the types of attacks against virtualized infrastructure. Additionally, since the vulnerability exists in systems integrated with Active Directory—a common configuration in enterprise networks—means that a large number of organizations could be at risk. The rapid adoption of the exploit by the BlackByte ransomware group further underscores the urgency of addressing this issue, as it indicates a high level of sophistication and coordination among threat actors.

What is the exposure or risk?

Organizations using VMware ESXi systems integrated with Active Directory face heightened risk, especially if they have not applied the necessary patches to mitigate this vulnerability. The exposure is severe as attackers who successfully exploit CVE-2024-37085 can gain unrestricted access to the virtual environment, potentially leading to a complete takeover of network operations. This access can result in the encryption of entire virtual environments, leading to data loss, disruption of services, and expensive ransom demands.

What are the recommendations?

Barracuda MSP recommends the following actions to keep your environment secure:

Apply the latest patches released by VMware to address CVE-2024-37085 on all ESXi servers.
Apply strong authentication mechanisms and minimal privileges to ESXi systems integrated with Active Directory.
Isolate critical virtual environments from other parts of the network to limit the potential impact of an exploit.
Remove legacy VPN policies and ensure that authentication attempts not matching a current VPN policy are denied by default. Restrict VPN access to only necessary network segments and services to limit exposure of critical assets like Domain Controllers.
Regularly back up virtual machines and test recovery procedures to ensure they are effective against ransomware scenarios.
Prioritize “verified push” as the MFA method over less secure options such as SMS or phone call, for all remote access and cloud connections.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

Categories

Tags

Archives