CVE-2024-37085 Detection: Ransomware Groups Actively Exploit a Newly Patched Vulnerability in VMware ESXi Hypervisors to Gain Full Administrative Privileges

A couple of weeks after the disclosure of CVE-2024-38112, a critical vulnerability exploited by the Void Banshee group to deploy the Atlantida stealer, another security flaw came into the spotlight. Multiple ransomware groups have weaponized a recently patched vulnerability in VMware ESXi hypervisors tracked as CVE-2024-37085 to gain elevated privileges and distribute file-encrypting malicious samples.

Detect CVE-2024-37085 Exploitation Attempts

In 2023 alone, more than 30,000 new vulnerabilities were identified. This number surged by 42% in 2024, making proactive vulnerability detection one of the most prominent use cases to date. The latest vulnerability causing significant menace for cyber defenders is a recently patched authentication bypass flaw in VMware ESXi (CVE-2024-37085) actively weaponized by ransomware operators for in-the-wild attacks. 

To identify CVE-2024-37085 exploitation attempts on time, security researchers could rely on SOC Prime Platform for collective cyber defense, which aggregates curated detection content accompanied by advanced threat detection and hunting solutions to strengthen organizational security posture. Just press the Explore Detections button below and immediately drill down to a relevant detection stack. 

Explore Detections

All the rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each detection is enriched with extensive metadata, including CTI references and attack timelines, to streamline threat investigation. 

Security professionals seeking broader detection coverage to investigate the malicious activity of ransomware collectives exploiting CVE-2024-37085 might search SOC Prime’s Threat Detection Marketplace using corresponding custom tags based on the groups’ identifiers: Storm-0506, Octo Tempest, Manatee Tempest, Akira, and Black Basta.

CVE-2024-37085 Analysis

Microsoft researchers have unveiled CVE-2024-37085, a recently patched medium-severity vulnerability in VMware ESXi hypervisors, which has been under active exploitation by diverse ransomware operators for mass encryption. CVE-2024-37085 is an authentication bypass vulnerability with a CVSS score of 6.8, enabling attackers with sufficient AD permissions to gain full control of an ESXi host that was previously set up to use AD for user management.

Microsoft reported that ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been using the post-compromise technique to deploy Akira and Black Basta ransomware. More specifically, this adversary technique includes running a set of commands, which leads to generating a group named “ESX Admins” in the domain and adding a user to it. According to the investigation, attackers used the specific command to exploit a vulnerability in domain-joined ESXi hypervisors, enabling them to escalate their privileges for full admin access. Further analysis revealed that VMware ESXi hypervisors joined to an Active Directory domain automatically grant full administrative access to any member of a domain group named “ESX Admins,” which makes CVE-2024-37085 easy to exploit. 

Microsoft researchers provide three possible methods of CVE-2024-37085 exploitation, which include creating a domain group named “ESX Admins” by attackers and adding themselves or others to it, renaming an existing domain group to “ESX Admins” and adding users to it, or refreshing the ESXi hypervisor privileges.

As a result of successful exploitation, adversaries gain full administrative access to the ESXi hypervisors, giving them the green light to encrypt the hypervisor’s file system, potentially disrupting the functionality of hosted servers. Additionally, it allows attackers to access hosted VMs and facilitates data exfiltration and lateral movement.

To help defenders minimize the risks associated with attacks exploiting CVE-2024-37085, organizations with domain-joined ESXi hypervisors are advised to install the latest security updates provided by VMware to fix CVE-2024-37085, follow credential hygiene best practices, strengthen the organization’s critical assets posture, and consistently deploy authenticated scans of network devices to identify potential blind spots in a timely manner. SOC Prime’s Attack Detective enables organizations to bulletproof their SIEM posture with an actionable plan to maximize threat visibility and address detection coverage gaps while empowering their cybersecurity strategy with informed decisions.