Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label targeting VMware ESXi systems. Show all posts

Ransomware Groups Exploit VMware ESXi Bug for Widespread Attacks

 

Several ransomware groups have been exploiting a vulnerability in VMware ESXi hypervisors that allows them to bypass authentication and rapidly deploy malware across virtual environments. Identified as CVE-2024-37085, this bug has been assigned a “medium” severity rating of 6.8 out of 10 on the CVSS scale. The rating reflects the need for attackers to have existing permissions in a target’s Active Directory (AD) to exploit it. 

The vulnerability, identified as CVE-2024-37085, has been assigned a “medium” severity score of 6.8 out of 10 on the CVSS scale. This score reflects the fact that attackers need existing permissions in a target’s Active Directory (AD) to exploit it. However, if attackers have AD access, they can inflict substantial damage. The CVE-2024-37085 bug allows them to instantly elevate their ESXi privileges to the highest level, enabling the deployment of ransomware, data theft, lateral movement within the network, and more. 

Notably, groups such as Storm-0506 (also known as Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (also known as Scattered Spider) have utilized this vulnerability to distribute ransomware like Black Basta and Akira. Broadcom has released a fix for the vulnerability, which is available on its website. The vulnerability arises in scenarios where organizations configure their ESXi hypervisors to use AD for user management. By default, ESXi hypervisors grant full administrative access to any member of an AD domain group named “ESX Admins.” This oversight means that an attacker with sufficient AD privileges can create an “ESX Admins” group in the targeted domain and add a user to it, thereby gaining full administrative access to the ESXi hypervisors. Alternatively, they could rename an existing group to “ESX Admins” and use one of its existing users or add a new one. 

This vulnerability is problematic because ESXi hypervisors do not validate the existence of the “ESX Admins” group when joining a domain. The membership in this group is determined by name rather than by security identifier (SID), making the exploit straightforward. An attacker only needs to create or rename a group to “ESX Admins” to exploit the vulnerability. Ransomware attacks targeting ESXi hypervisors and virtual machines (VMs) have become increasingly common, particularly since 2020, as enterprises have accelerated their digital transformation efforts and adopted modern hybrid cloud and virtualized on-premise environments. 

Virtualized environments offer hackers significant advantages, as hypervisors typically run many VMs simultaneously, making them ideal targets for widespread ransomware deployment. These VMs often host critical services and business data, making successful attacks highly disruptive. The limited visibility and protection for hypervisors from traditional security products exacerbate this issue. Hypervisors’ isolation and complexity, along with the specialized knowledge required to protect them, make it difficult for conventional security tools to monitor and safeguard the entire environment. 

Additionally, API integration limits further complicate protection efforts. To mitigate these risks, Microsoft emphasizes the importance of keeping systems up to date with patches and practicing broader cyber hygiene around critical and vulnerable assets. Ensuring that systems are patched and that cyber hygiene practices are in place can help defend against such attacks. As ransomware actors increasingly target these systems, organizations must remain vigilant and proactive in their cybersecurity measures.

New Linux Play Ransomware Variant Targets VMware ESXi Systems

 

Attacks with a new Play ransomware variant for Linux have been deployed against VMware ESXi systems, most of which have been aimed at the U.S. and at organizations in the manufacturing, professional services, and construction sectors, according to The Hacker News.

Such a novel Play ransomware version was hosted on an IP address that also contained the WinSCP, PsExec, WinRAR, and NetScan tools, as well as the Coroxy backdoor previously leveraged by the ransomware operation, indicating similar functionality, an analysis from Trend Micro revealed. However, additional examination of the payload showed its utilization of a registered domain generation algorithm to bypass detection, a tactic similarly used by the Prolific Puma threat operation. 

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals," said researchers. Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware. Specifically, it employs what's called a registered domain generation algorithm (RDGA)