BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets

Threat actors using the infamous BlackByte ransomware strain have joined the rapidly growing number of cybercriminals targeting a recent authentication bypass vulnerability in VMware ESXi to compromise the core infrastructure of enterprise networks.

The bug, tracked as CVE-2024-37085, allows an attacker with sufficient access on Active Directory (AD) to gain full access to an ESXi host if that host uses AD for user management.

A Popular Target

Microsoft and other security vendors previously identified ransomware outfits such as Black Basta (aka Storm-0506), Manatee Tempest, Scattered Spider (aka Octo Tempest), and Storm-1175 leveraging CVE-2024-37085 to deploy ransomware strains such as Akira and Black Basta. In these attacks, the adversaries used their AD privileges to create or rename a group called "ESX Admins" and then use the group to access the ESXi hypervisor as a fully privileged user.

BlackByte's use of the vulnerability represents a pivot from the threat group's usual practice of scanning for and exploiting public-facing vulnerabilities — like the ProxyShell flaw in Microsoft Exchange — to gain an initial foothold. Researchers at Cisco Talos who observed BlackByte threat actors target CVE-2024-37085 in recent attacks described the tactic as one of several changes they made recently to stay ahead of defenders. Other changes include the use of BlackByteNT, a new BlackByte encryptor written in C/C++, dropping as many as four vulnerable drivers, compared to three previously, on compromised systems and using the victim organization's AD credentials to self-propagate.

Talos's investigation showed that organizations in the professional, scientific, and technical services sectors are most vulnerable to attacks involving the use of legitimate but vulnerable drivers to bypass security mechanisms — a technique researchers refer to as Bring Your Own Vulnerable Driver (BYOVD).

"BlackByte’s progression in programming languages from C# to Go and subsequently to C/C++ in the latest version of its encryptor — BlackByteNT — represents a deliberate effort to increase the malware's resilience against detection and analysis," Talos researchers James Nutland, Craig Jackson, and Terryn Valikodath wrote in a blog post this week. "The self-propagating nature of the BlackByte encryptor creates additional challenges for defenders. The use of the BYOVD technique compounds these challenges since it may limit the effectiveness of security controls during containment and eradication effort."

Constant Change

BackByte's pivot to vulnerabilities such as CVE-2024-37085 in ESXi is a manifestation of how attackers constantly evolve their tactics, techniques, and procedures to stay ahead of defenders, says Darren Guccione, CEO and co-founder of Keeper Security. "The exploitation of vulnerabilities in ESXi by BlackByte and similar threat actors indicates a focused effort to compromise the core infrastructure of enterprise networks," Guccione says. "Given that ESXi servers often host multiple virtual machines, a single successful attack can cause widespread disruption, making them a prime target for ransomware groups."

Sygnia, which investigated numerous ransomware attacks against VMWare ESXi and other virtualized environments earlier this year, described the attacks as unfolding in a specific pattern in most instances. The attack chain begins with the adversary gaining initial access to a target environment via a phishing attack, vulnerability exploit, or malicious file download. Once on a network, attackers tend to use tactics like altering domain group memberships for domain-connected VMware instances, or via RDP hijacking, to obtain credentials for ESXi hosts or vCenter. They then validate their credentials and use them to execute their ransomware on the ESXi hosts, compromise backup systems, or change passwords to them and then exfiltrate data.

Increased Enterprise Pressure

Attacks on ESXi environments increase the pressure on organizations and their security teams to maintain a versatile security program, according to the researchers. "This includes practices like strong vulnerability management, threat intelligence sharing, and incident response policies and procedures to keep pace with evolving adversary TTPs," the Cisco Talos researchers said. "In this case, vulnerability management and threat intel sharing will help to identify lesser-known or novel avenues that adversaries may take during an attack such as the ESXi vulnerability."

Heath Renfrow, cofounder of disaster recovery firm Fenix24, says with CVE-2024-37085, organizations face an addition challenge because of perceived difficulties in implementing mitigations for it. "These mitigations include disconnecting ESXi from AD, removing any previously used groups in AD that managed ESXi, and patching ESXi to 8.0 U3, where the vulnerability is fixed," Renfrow says. "VMware is the most widely used virtual solution globally, and the attack footprint is broad and easily exploitable. This makes it an easy win for threat actors to access the crown jewels and cause significant damage quickly."