• Posted by: Eng. Donya Bino
• August 30, 2024

BlackByte Ransomware Group Exploits VMware ESXi Flaw and Vulnerable Drivers

The BlackByte ransomware group has been observed exploiting a recently patched authentication bypass vulnerability in VMware ESXi, tracked as CVE-2024-37085, as well as utilizing vulnerable drivers to disable security protections. Cisco Talos shared these findings, revealing the threat actors' advanced tactics, techniques, and procedures (TTPs) to carry out ransomware attacks.

Exploitation of VMware ESXi Flaw

BlackByte, which emerged in the latter half of 2021, has been leveraging the CVE-2024-37085 vulnerability in VMware ESXi to gain unauthorized access and escalate privileges. This flaw allows attackers to create a group named "ESX Admins" and add users, effectively granting them administrator privileges on the hypervisor. This access can be used to control virtual machines, alter host server configurations, and access sensitive logs and diagnostics.

Evolution of BlackByte's Techniques

The ransomware group has a history of exploiting known vulnerabilities to achieve initial access, previously targeting ProxyShell vulnerabilities in Microsoft Exchange Server. The current shift to using VMware ESXi flaws and VPN access highlights a tactical adaptation, possibly to evade detection and improve success rates. The use of valid credentials, potentially obtained through brute-force attacks, also demonstrates their methodical approach.

Bring Your Own Vulnerable Driver (BYOVD) Tactic

A notable aspect of BlackByte's strategy is the use of the "bring your own vulnerable driver" (BYOVD) tactic. By deploying vulnerable drivers, they can terminate security processes and bypass detection. During recent attacks, BlackByte dropped four vulnerable drivers, all following a naming pattern of eight random alphanumeric characters, to disable security measures. These drivers included:

• AM35W2PH (RtCore64.sys)
• AM35W2PH_1 (DBUtil_2_3.sys)
• AM35W2PH_2 (zamguard64.sys aka Terminator)
• AM35W2PH_3 (gdrv.sys)

Continuous Evolution and Threat Landscape

BlackByte's continued use of multiple programming languages, including a shift from C# to Go and eventually to C/C++, indicates their effort to enhance the malware's resilience against detection and analysis. The latest version of the encryptor, BlackByteNT, incorporates advanced anti-analysis and anti-debugging techniques.

Cisco Talos has observed that only a fraction of BlackByte's victims, estimated at 20-30%, are publicly disclosed, suggesting that the group may be more active than currently perceived.

Impact on Critical Sectors

BlackByte's activities have notably targeted critical infrastructure sectors, such as financial services, manufacturing, education, food and agriculture, and government facilities. Their double extortion tactics, involving data encryption and subsequent threats to leak sensitive information on a dark web-operated site, pressurize victims into paying ransoms.

Industry Response and Mitigation

In light of these findings, organizations are urged to apply the latest security patches, particularly those affecting VMware ESXi hypervisors, and to implement robust security measures, such as restricting VPN access to trusted sources and regularly monitoring network activity for unusual behavior.

The emergence of new ransomware strains and evolving techniques, as seen with BlackByte, Brain Cipher, and RansomHub, emphasizes the need for continuous vigilance and proactive cybersecurity strategies to protect against the ever-evolving threat landscape.

 

BlackByte's exploitation of CVE-2024-37085 and its sophisticated use of vulnerable drivers exemplify the ongoing innovation in ransomware tactics. Organizations must stay alert, keep their systems updated, and enforce strict security protocols to protect against these advanced cyber threats.