Virtual machines at risk as ransomware gangs exploit dangerous VMware vulnerability


VMware’s enterprise-class software for hosting virtual machines (ESXi) contains a bug that hackers are actively exploiting. They gain full administrative permissions by creating a group called “ESX Admins” and adding themselves to it.

The US Cybersecurity and Infrastructure Security Agency strongly recommends that all organizations prioritize the timely remediation of the VMware ESXi Authentication Bypass Vulnerability.

VMware ESXi is used to deploy and manage virtual machines (virtual computers). However, Microsoft discovered that this software contains an authentication bypass vulnerability.

ADVERTISEMENT

The NIST National Vulnerability Database describes the flaw as follows: “A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESX Admins’ by default) after it was deleted from AD.”

Security expert Kevin Beaumont explained on Mastodon that a hacker could then encrypt every VMware system, including non-Windows.

Microsoft warns that multiple ransomware operators, such as Black Basta, Storm-1175, Akira, Octo Tempest, and Manatee Tempest, utilized the technique in numerous attacks. In several cases, hackers managed to deploy ransomware.

ESXi hypervisors are favored targets for attackers because, this way, malicious actors can encrypt multiple systems at once.

“We have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase the impact on the organizations they target,” Microsoft said.

One engineering firm in North America was affected by a Black Basta this way. Hackers gained initial access to the organization via a Quakbot (information stealer) infection and then elevated their privileges using the Windows CLFS vulnerability.

A combination of Cobalt Strike and Pypykatz (a Python version of Mimikatz) was used to steal the credentials of two domain administrators and move laterally. When the threat actor created the “ESX Admins” group in the domain and added a new user account to it, it encrypted the ESXi file system.

Apparently, the VMware ESXi hypervisors consider any member of a domain group named “ESX Admins” to have full administrative access by default, without authentication or additional checks if it’s legitimate.

ADVERTISEMENT

“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treat any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID),” Microsoft report reads.

VMware assigned this vulnerability a score of 6.8 out of 10, which some believe is too low.

“So you create an AD group "ESX Admins," and by default, VMware is just like ‘oh, so you're the admin now?!’ And then to make it dumber, VMware classifies this as a *moderate* severity, despite knowing ransomware TAs are actively using it? I can only conclude Broadcom is not serious about security,” security researcher Jake Williams posted.

According to CISA, Federal agencies must remediate the vulnerability within three weeks, with a due date of August 20th.

“Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable,” CISA said.

Broadcom Advisory suggests applying the available security updates. Microsoft also recommends protecting highly privileged accounts and improving the posture of critical assets.