BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets

The pivot is one of several changes the groups using the malware have used in recent attacks.

Threat actors using the infamous BlackByte ransomware strain have joined the rapidly growing number of cybercriminals targeting a recent authentication bypass vulnerability in VMware ESXi to compromise the core infrastructure of enterprise networks.
The bug, tracked as
CVE-2024-37085
, allows an attacker with sufficient access on Active Directory (AD) to gain full access to an ESXi host
if that host uses AD for user management
.
Microsoft
and other security vendors previously identified ransomware outfits such as Black Basta (aka Storm-0506), Manatee Tempest, Scattered Spider (aka Octo Tempest), and Storm-1175 leveraging CVE-2024-37085 to deploy ransomware strains such as Akira and Black Basta. In these attacks, the adversaries used their AD privileges to create or rename a group called ESX Admins and then use the group to access the ESXi hypervisor as a fully privileged user.
BlackBytes use of the vulnerability represents a pivot from the threat groups usual practice of scanning for and exploiting public-facing vulnerabilities — like the ProxyShell flaw in Microsoft Exchange — to gain an initial foothold. Researchers at Cisco Talos who observed BlackByte threat actors target CVE-2024-37085 in recent attacks described the tactic as
one of several changes
they made recently to stay ahead of defenders. Other changes include the use of BlackByteNT, a new BlackByte encryptor written in C/C++, dropping as many as four vulnerable drivers, compared to three previously, on compromised systems and using the victim organizations AD credentials to self-propagate.
Taloss investigation showed that organizations in the professional, scientific, and technical services sectors are most vulnerable to attacks involving the use of legitimate but vulnerable drivers to bypass security mechanisms — a technique researchers refer to as
Bring Your Own Vulnerable Driver
(BYOVD).
BlackByte’s progression in programming languages from C# to Go and subsequently to C/C++ in the latest version of its encryptor — BlackByteNT — represents a deliberate effort to increase the malwares resilience against detection and analysis, Talos researchers James Nutland, Craig Jackson, and Terryn Valikodath wrote in a blog post this week. The self-propagating nature of the BlackByte encryptor creates additional challenges for defenders. The use of the BYOVD technique compounds these challenges since it may limit the effectiveness of security controls during containment and eradication effort.
BackBytes pivot to vulnerabilities such as CVE-2024-37085 in ESXi is a manifestation of how attackers constantly evolve their tactics, techniques, and procedures to stay ahead of defenders, says Darren Guccione, CEO and co-founder of Keeper Security. The exploitation of vulnerabilities in ESXi by BlackByte and similar threat actors indicates a focused effort to compromise the core infrastructure of enterprise networks, Guccione says. Given that ESXi servers often host multiple virtual machines, a single successful attack can cause widespread disruption, making them a prime target for ransomware groups.
Sygnia, which investigated numerous ransomware attacks against VMWare ESXi and other virtualized environments earlier this year,
described the attacks
as unfolding in a specific pattern in most instances. The attack chain begins with the adversary gaining initial access to a target environment via a phishing attack, vulnerability exploit, or malicious file download. Once on a network, attackers tend to use tactics like altering domain group memberships for domain-connected VMware instances, or via RDP hijacking, to obtain credentials for ESXi hosts or vCenter. They then validate their credentials and use them to execute their ransomware on the ESXi hosts, compromise backup systems, or change passwords to them and then exfiltrate data.
Attacks on ESXi environments increase the pressure on organizations and their security teams to maintain a versatile security program, according to the researchers. This includes practices like strong vulnerability management, threat intelligence sharing, and incident response policies and procedures to keep pace with evolving adversary TTPs, the Cisco Talos researchers said. In this case, vulnerability management and threat intel sharing will help to identify lesser-known or novel avenues that adversaries may take during an attack such as the ESXi vulnerability.
Heath Renfrow, cofounder of disaster recovery firm Fenix24, says with CVE-2024-37085, organizations face an addition challenge because of perceived difficulties in implementing mitigations for it. These mitigations include disconnecting ESXi from AD, removing any previously used groups in AD that managed ESXi, and patching ESXi to 8.0 U3, where the vulnerability is fixed, Renfrow says. VMware is the most widely used virtual solution globally, and the attack footprint is broad and easily exploitable. This makes it an easy win for threat actors to access the crown jewels and cause significant damage quickly.

Last News
▸ Tackling The TDoS Threat. ◂ Discovered: 26/12/2024 Category: security	▸ Ruby On Rails Under Attack ◂ Discovered: 26/12/2024 Category: security	▸ Recap of Recent Data Breaches ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets