12 June 2024

Black Basta ransomware actors possibly exploited recently patched Windows bug as zero-day


Black Basta ransomware actors possibly exploited recently patched Windows bug as zero-day

New evidence suggests that the cybercrime group known as Cardinal (aka Storm-1811, UNC4393), operators of the Black Basta ransomware, may have exploited a recently patched Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day.

The vulnerability, found in the Windows Error Reporting Service, allows attackers to elevate their privileges on affected systems. The issue was patched by Microsoft on March 12, 2024, with no known exploitation in the wild at that time.

However, Symantec’s Threat Hunter Team uncovered the exploit tool indicating that the flaw has been exploited by ransomware actors.

An analysis showed that the tool may have been compiled before the patch was released, suggesting possible zero-day exploitation by threat actors.

Although the attackers failed to deploy a ransomware payload, the tactics, techniques, and procedures (TTPs) used in the attacks are similar to those of Black Basta.

The exploit tool takes advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys.

“Because the parent key has a “Creator Owner” access control entry (ACE) for subkeys, all subkeys will be owned by users of the current process. The exploit takes advantage of this to create a "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe" registry key where it sets the "Debugger" value as its own executable pathname. This allows the exploit to start a shell with administrative privileges,” Symantec explained.

First spotted in April 2022, the Black Basta ransomware relied on the Qakbot botnet for distribution. The botnet was dismantled by law enforcement authorities in August 2023. Qakbot has been used by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. According to recent research, Qakbot was the most popular malware loader during the first seven months of 2023.

Following the demise of Qakbot, Cardinal temporarily ceased the activities but then resumed operations using the DarkGate loader to regain access to potential victims.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024