Black Basta Ransomware Exploits Windows Vulnerability
Recent investigations by Symantec have revealed that threat actors associated with the Black Basta ransomware may have leveraged a newly uncovered zero-day vulnerability in the Microsoft Windows Error Reporting Service. This security flaw, identified as CVE-2024-26169, is classified as an elevation of privilege vulnerability with a CVSS score of 7.8, and it could be exploited to gain SYSTEM-level privileges. Microsoft addressed this vulnerability in a patch released in March 2024.
According to Symantec’s Threat Hunter Team, analysis of an exploit toolkit used in recent attacks suggested that it might have been compiled before the patch was applied. This implies that at least one group could have been exploiting this issue as a zero-day vulnerability. The threat actors responsible for this activity are tracked under the code name Cardinal, while the cybersecurity community refers to them as Storm-1811 and UNC4393.
Known for monetizing access through the deployment of Black Basta ransomware, this group typically initiates attacks by leveraging initial access obtained from other malware, including QakBot and DarkGate. Recently, they have been observed utilizing legitimate Microsoft applications such as Quick Assist and Teams to compromise users’ systems.
Microsoft has reported that attackers are using Teams to impersonate IT personnel or help desk staff, sending messages or initiating calls to lure unsuspecting users. This tactic leads to the misuse of Quick Assist for remote access, followed by credential theft facilitated through tools such as EvilProxy. Once credentials are stolen, attackers execute batch scripts and use SystemBC for establishing persistence and command-and-control capabilities.
Symantec also noted it had detected an exploit tool involved in an unsuccessful ransomware attack. This tool exploits a vulnerability where the Windows file werkernel.sys uses a null security descriptor when creating registry keys. By creating a specific registry key with administrative privileges, the exploit can initiate a shell that allows unauthorized access.
Metadata analysis revealed that the exploit tool was compiled before the vulnerability was patched, with timestamps indicating compilation dates as early as February 27, 2024. Another sample found on VirusTotal had a compilation timestamp of December 18, 2023. While timestamp manipulation is a common practice among threat actors to obscure their activities, Symantec indicated that in this case, there seemed to be minimal incentive for doing so.
A Microsoft spokesperson reassured users that the issue had been addressed in the March patch and emphasized that customers applying the fix were safe. Microsoft’s security software also includes mechanisms for detecting the associated malware.
This development coincides with the emergence of a new ransomware family known as DORRA, which is a variant of Makop malware. After a period of decline in ransomware incidents in 2022, attacks have seen a resurgence. Google subsidiary Mandiant reported a 75% increase in posts on data leak sites, indicating a worrying rise in ransomware activity, with attackers reportedly receiving over $1.1 billion in ransom payments in 2023.
In light of this information, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-26169 to its Known Exploited Vulnerabilities Catalog, highlighting its exploitation in ransomware attacks. Federal agencies must apply the necessary patches by July 4, 2024, to safeguard their systems against these vulnerabilities.
Ultimately, this situation underscores the importance of vigilance and prompt application of security patches to protect against sophisticated cyber threats that persist in the evolving landscape of ransomware and other malicious activities.
