Summary:
The Black Basta ransomware group is suspected of leveraging a critical Windows privilege escalation vulnerability, identified as CVE-2024-26169, as a zero-day exploit before Microsoft released a fix. This vulnerability, rated at 7.8 on the CVSS v3.1 scale, affects the Windows Error Reporting Service, enabling attackers to elevate their privileges to SYSTEM level. Microsoft addressed this flaw on March 12, 2024, during its monthly Patch Tuesday updates. Despite the patch release, Symantec's investigation indicates that the Cardinal cybercrime group, operators of Black Basta, likely actively exploited the vulnerability. The exploit, utilized following initial infection by the DarkGate loader, capitalizes on the flaw's exploitation to gain elevated privileges.

Symantec's analysis reveals that the exploit involves the manipulation of the werkernel[.]sys file, exploiting its null security descriptor to create a registry key. This registry key, located at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault[.]exe, enables the execution of arbitrary code with SYSTEM-level privileges. Furthermore, Symantec uncovered two distinct variants of the exploit tool, compiled on February 27, 2024, and December 18, 2023, respectively. This indicates that Black Basta possessed a functional exploit tool for a considerable period before Microsoft issued a patch.


Security Officer Comments:
Despite the possibility of timestamp manipulation, Symantec suggests that the likelihood is low due to the absence of a clear motive. Black Basta, with its ties to the Conti cybercrime syndicate, has previously demonstrated expertise in exploiting Windows tools and system vulnerabilities. CISA and the FBI have warned of Black Basta's prolific activity, attributing it to approximately 500 breaches since April 2022. Additionally, Elliptic's report in November 2023 indicated that Black Basta had amassed over $100 million in ransom payments.

Suggested Corrections:
To mitigate Black Basta's use of this vulnerability, it is essential to apply the latest Windows security update and follow the guidelines shared by CISA. IOCs: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day


Link(s):
https://www.bleepingcomputer.com/ne...ware-gang-linked-to-windows-zero-day-attacks/