BlackByte ransomware still capitalizing on known VMware ESXi flaw


Despite multiple warnings and orders for US federal agencies to patch a vulnerability in VMware ESXi, an enterprise-class software for hosting virtual machines, ransomware operators are still taking advantage of it.

Cisco Talos researchers have uncovered that an authentication bypass vulnerability in VMware ESXi is being actively exploited by BlackByte, a ransomware-as-a-service (RaaS) group believed to be a branch of the defunct but notorious Conti ransomware gang.

Many organizations use VMware ESXi to deploy and manage virtual machines (virtual servers). However, on July 29th, Microsoft disclosed an authentication bypass vulnerability affecting the software. This vulnerability allows attackers to gain full administrative permissions and encrypt all hosted virtual machines, including critical ones.

ADVERTISEMENT

“Talos Incident Response (IR) observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the report reads.

“This highlights the speed with which ransomware groups like BlackByte can adapt.”

The situation is a departure from established BlackByte tradecraft – continuous iteration of vulnerable drivers to bypass security protections and deployment of a self-propagating, wormable ransomware encryptor.

The US Cybersecurity and Infrastructure Security Agency (CISA) previously said that federal agencies must remediate the flaw within three weeks before August 20th and strongly urged all organizations to apply the update available.

What do we know about BlackByte’s tactics?

Recent BlackByte ransomware attacks started with hackers using valid credentials to log into the victim organization’s VPN. It's unclear how the threat actor obtained the credentials.

Talos IR speculates that brute-force authentication facilitated via internet scanning is plausible, as compromised accounts had basic naming conventions and weak passwords. The VPN interfaces may have allowed a connection without multi-factor authentication. BlackByte also has a history of scanning for and exploiting public-facing vulnerabilities.

After successful initial access, the threat actor escalated privileges by compromising two Domain Admin-level accounts. Exploiting the aforementioned vulnerability, BlackByte gained elevated privileges on an ESXi host and control over virtual machines.

ADVERTISEMENT

Using SMB (Server Message Block) and RDP (Remote Desktop Protocol) protocols, BlackByte moved laterally, accessing files within each victim environment. The threat actor was observed executing a malicious payload and tampering with security tool configurations via system registry modifications. It manually uninstalled an endpoint detection and response (EDR) solution from key systems.

Ransomware deployment in recent cases was similar to prior reports. The notable new thing is that encrypted files were rewritten with the new file extension “blackbytent_h.”

Researchers estimate that only 20-30% of successful BlackByte attacks end up as extortion notes on their data leak site on the dark web, suggesting that their activity is higher than the disclosures may imply. BlackByte most often targets manufacturers.

VMware ESXi hypervisors are also targeted by other cybercriminals. Microsoft, in its initial findings, warned that Black Basta, Storm-1175, Akira, Octo Tempest, and Manatee Tempest exploited the vulnerability in numerous attacks.