Black Basta Ransomware Affiliates Possibly Exploited Windows Bug as a Zero-Day
12 June 2024 at 15:42
The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests.
Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix.
Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. βAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges,β Microsoft said at the time of patching.
The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.
Black Bastaβs Privilege Escalation Bug Exploitation
The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. βAlthough the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,β Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.Black Basta Exploit Tool Analysis
The exploit tool leverages a flaw where the Windows file βwerkernel.sysβ uses a null security descriptor for creating registry keys. The tool exploits this by creating a βHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exeβ registry key, setting its βDebuggerβ value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:- Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
- Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.