Protect Your Network Now: VMware Vulnerability Exploited to Spread Ransomware!

Hackers Exploit VMware ESXi Auth Bypass Vulnerability to Spread Ransomware

Security researchers have discovered that the BlackByte ransomware group is actively exploiting a recently patched authentication bypass vulnerability in VMware ESXi virtual appliances to deploy ransomware and gain full administrative access to victims' networks.

The vulnerability, tracked as *CVE-2024-37085*, allows attackers to bypass authentication on VMware ESXi systems that are linked to an Active Directory domain.

By exploiting this flaw, BlackByte operators can create a malicious "ESX Admins" group and add users to it, automatically granting them full administrative privileges on the ESXi virtual appliance.

Cisco Talos researchers observed that BlackByte has exploited this vulnerability in recent attacks, noting that the group "continues to iterate its use of vulnerable drivers to bypass security protections and deploy self-propagating ransomware."

Exploitation Sequence:

1. Initial access is obtained through valid VPN credentials, likely acquired via brute-force attacks.

2. The attackers escalate privileges by compromising domain administrator accounts.

3. They create an Active Directory "ESX Admins" group and add malicious accounts to it.

4. This grants the attackers full administrative access to ESXi admins joined to the domain due to the CVE-2024-37085 vulnerability.

5. The BlackByte ransomware is then deployed, using a self-spreading mechanism to propagate across the network.

The latest version of the BlackByte ransomware adds the ".blackbytent_h" extension to encrypted files. It also drops four vulnerable drivers as part of its Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security controls:

- RtCore64.sys (MSI Afterburner driver)

- DBUtil_2_3.sys (Dell firmware update driver)

- zamguard64.sys (Zemana Anti-Malware driver)

- gdrv.sys (GIGABYTE driver)

It operates primarily from the "C:\SystemData" directory, where several common files are created across all BlackByte victims, including a text file called "MsExchangeLog1.log," which appears to be a log for tracking operations where execution stages are recorded as "q", "w", and "b" separated by commas, according to Talos.

Notably, the ransomware binary appears to contain stolen credentials from the victim's environment, allowing it to authenticate and spread to other systems using SMB and NTLM.

Microsoft researchers have also observed multiple ransomware groups, including **Storm-0506** and **Storm-1175**, exploiting CVE-2024-37085 in attacks leading to the deployment of Akira and Black Basta ransomware.

BlackByte has targeted a wide range of industries without heavily focusing on any specific sector. Its victims include critical infrastructure, private companies, and government entities across multiple sectors.

Organizations are strongly advised to patch their VMware ESXi systems to version 8.0 U3 or later to address this vulnerability. If immediate patching isn't possible, VMware has provided workarounds, including changing specific advanced ESXi settings.

The rapid adoption of this vulnerability by BlackByte underscores the ongoing arms race between cybercriminals and defenders. As ransomware tactics continue to evolve, organizations must remain vigilant and prioritize timely patching and security hardening for critical infrastructure components like virtualization platforms.

Defenders should monitor for the creation of suspicious Active Directory groups, unexpected privilege escalation on ESXi hosts, and signs of lateral movement using compromised credentials. Implementing strong access controls, network segmentation, and robust backup strategies remain critical in mitigating the impact of potential ransomware attacks targeting virtual environments.

VMware has released a security update to address the CVE-2024-37085 vulnerability. 

Immediate Actions:

- Apply the Patch: Administrators should prioritize applying the security patches provided by VMware on all affected systems.

- Network Segmentation: Isolate critical systems and restrict network access to VMware ESXi and vCenter Server management interfaces.

- Monitoring and Logging: Implement strong monitoring and logging mechanisms to detect any unauthorized access attempts.

- Regular Audits: Conduct regular security audits and vulnerability assessments to ensure the integrity of the virtual environment.