Black Basta ransomware exploits a zero-day flaw in Windows Error Reporting Service. Learn more about the vulnerability (CVE-2024-26169) and how to protect your systems.
According to new findings from Symantec, threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day.
The security flaw in question is CVE-2024-26169 (CVSS score: 7.8), an elevation of privilege bug in the Windows Error Reporting Service that could be exploited to achieve SYSTEM privileges. Microsoft patched it in March 2024.
“Analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled before patching, meaning at least one group may have been exploiting the vulnerability as a zero-day,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared.
The company is tracking the financially motivated threat cluster under the name Cardinal. The cybersecurity community is monitoring it under the names Storm-1811 and UNC4393.
It’s known to monetize access by deploying the Black Basta ransomware, usually by leveraging initial access obtained by other attackers – initially QakBot and then DarkGate – to breach target environments.
In recent months, the threat actor has been observed using legitimate Microsoft products like Quick Assist and Microsoft Teams as attack vectors to infect users.
“The threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel,” Microsoft said. “This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command-and-control.”
Symantec said it observed the exploit tool being used as part of an attempted but unsuccessful ransomware attack.
The malicious program “takes advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys,” it explained.
“The exploit takes advantage of this to create a ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe’ registry key where it sets the ‘Debugger’ value as its own executable pathname. This allows the exploit to start a shell with administrative privileges.”
Metadata analysis of the artifact shows that it was compiled on February 27, 2024, several weeks before Microsoft addressed the vulnerability, while another sample unearthed on VirusTotal had a compilation timestamp of December 18, 2023.
While threat actors are prone to altering the timestamps of files and directories on a compromised system to conceal their actions or impede investigations – a technique referred to as timestomping – Symantec pointed out that there are likely very few reasons for doing so in this case.
The development comes amid the emergence of a new ransomware family called DORRA, a variant of the Makop malware family. Ransomware attacks continue to revive after a dip in 2022.
According to Google-owned Mandiant, the ransomware epidemic witnessed a 75% increase in posts on data leak sites. In 2023, more than $1.1 billion was paid to attackers, up from $567 million in 2022 and $983 million in 2021.
“This illustrates that the slight dip in extortion activity observed in 2022 was an anomaly, potentially due to factors such as the invasion of Ukraine and the leaked Conti chats,” the company said.
Also Read: Sudhakar Ramakrishna on Innovation, Adaptation, and Future Vision
“The current resurgence in extortion activity is likely driven by various factors, including the resettling of the cybercriminal ecosystem following a tumultuous year in 2022, new entrants, and new partnerships and ransomware service offerings by actors previously associated with prolific groups that had been disrupted.”
CVE-2024-26169 Added to CISA KEV Catalog#
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally added CVE-2024-26169 to its Known Exploited Vulnerabilities (KEV) catalog, citing its abuse in ransomware attacks. Federal agencies are required to apply the patches by July 4, 2024.