Microsoft calls out apparent ESXi vulnerability that some researchers say is a ‘nothing burger’ 

A range of cybercriminals engaged in extortion and ransomware attacks are exploiting what researchers with Microsoft described as a vulnerability in VMware’s ESXi hypervisor, according to a blog posted Monday.

The vulnerability allowed attackers to add users to an attacker-created admins group, which could then facilitate full administrative permissions on domain-joined ESXi hypervisors, according to a blog post by Microsoft Threat Intelligence.

Others have pointed out that the “vulnerability” is, in fact, a “well known feature” in VMware vSphere that has been documented and discussed for more than a decade, and that attackers abusing the technique in the wild would already have deep access into a victim’s environment.

Nevertheless, researchers with Microsoft said the technique is being abused by highly effective cybercriminal operations as part of extortion and ransomware operations.

The vulnerability, tracked as CVE-2024-37085, impacted VMware ESXi, VMware vCenter Server and VMware Cloud Foundation and was updated June 25, according to Broadcom, VMware’s parent company. The Cybersecurity and Infrastructure Security Agency added the CVE to its Known Exploited Vulnerability Catalog on Tuesday.

To exploit the vulnerability, attackers ran commands to create a new “ESX Admins” group, followed by adding a new user to that group. “Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function,” the researchers said. “It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”

Christian Mohn, a chief technologist with Proact IT Norge AS in Norway, called the CVE a “nothing burger” in his own blog post Monday. He told CyberScoop in an online chat Tuesday that this is a “feature and not a bug.” He added that he’s glad VMware is “removing this — it’s pretty much a feature no one uses anymore and less moving parts that can be misfigured is a good thing. But calling it an exploit is stretching.” 

Broadcom did not respond to requests for comment. 

Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, told CyberScoop in an email Tuesday that the company worked closely with VMware to disclose the vulnerability and provide proof of concept, and that the finding was issued a CVE ID and VMware released a patch and patch guidance for it along with “multiple vulnerabilities.” 

“Ransomware is a significant, high-severity threat being used by threat actors across the landscape, [and] organizations should be aware that exploitation of this vulnerability could result in ransomware or other malicious activity,” DeGrippo said. “Ultimately, this disclosure falls within Microsoft’s mission to keep organizations more secure and better informed.”

ESXi has become a “favored target for threat actors” in recent years, the Microsoft researchers said, likely due to its popularity in corporate networks, many security products’ limited visibility and protections for an ESXi hypervisor and the ability for ransomware attackers to more quickly encrypt a number of virtual machines. 

Various clusters of cybercriminal activity and ransomware variants tracked by Microsoft offer ESXi encryptors, the researchers noted, including Black Basta, Babuk, Lockbit and Kuiper. Incident response engagements involving the targeting and impacting of ESXi hypervisors “have more than doubled” in the past three years, the researchers added.

In one example, a ransomware operator tracked by Microsoft as Storm-0506 exploited the vulnerability during an attack on an unidentified engineering firm in North America that involved the deployment of Black Basta ransomware. 

Other clusters of cybercriminal activity have abused the technique, including the group tracked as Octo Tempest, a reference to an ecosystem of cybercriminals known as “the Com,” but also referred to by the CrowdStrike-given name “Scattered Spider.”

The group is known for attacking major international targets, including MGM Resorts and Clorox. A top FBI official recently listed Scattered Spider as a top-three cybersecurity threat, alongside China and Russia’s foreign intelligence agency.