Wed | Jun 12, 2024 | 1:56 PM PDT

The prolific Black Basta ransomware operation is believed to have leveraged a recently patched Windows privilege escalation vulnerability as a Zero-Day exploit before a fix was made available, according to new research by cybersecurity firm Symantec.

The vulnerability in question is CVE-2024-26169, a high-severity issue in the Windows Error Reporting Service that could allow attackers to elevate their privileges to SYSTEM level on affected systems. Microsoft addressed the flaw on March 12, 2024, as part of its monthly Patch Tuesday updates.

However, Symantec's analysis of an exploit tool used in recent ransomware attacks points to the Black Basta cybercrime group, also known as Cardinal or UNC4394, potentially compiling the exploit prior to the patch release—suggesting they may have been abusing it as a Zero-Day vulnerability.

"Analysis of the exploit tool revealed that it takes advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys," the Symantec report explained, providing technical details on how the exploit works.

Variants of the tool discovered had compilation timestamps from February 2024 and even as far back as December 2023—well before Microsoft's patch was issued. While timestamps can be modified, researchers saw little motivation for attackers to backdate them falsely in this case.

The tactics and techniques used in the attacks, such as deploying malicious batch scripts masquerading as software updates to establish persistence, closely aligned with Black Basta's known methods, according to Symantec. The investigators linked the activity to the group as an attempted but failed ransomware attack.

Ken Dunham, Cyber Threat Director at Qualys, commented on the significance: "While Black Basta is not as well-known as others, it is a top 10 ransomware threat globally. These aggressive tactics are certainly a cause for concern, and when combined with a top 10 prevalence, are justification for prioritized patching of CVE-2024-26169 which is now reportedly being targeted for exploitation by Black Basta."

Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, emphasized the evolving threat landscape, saying: "The exploitation of CVE-2024-26169 by Black Basta highlights the threat posed by ransomware groups utilizing Zero-Day vulnerabilities. Organizations must prioritize timely patch management, as the delay in applying security updates can leave systems vulnerable."

Guenther added: "From an intelligence perspective, this incident demonstrates the evolving tactics of cybercriminal groups, particularly their ability to deploy sophisticated tools and strategies quickly.... Organizations must stay informed about emerging threats and Zero-Day vulnerabilities, implement multi-layered security controls, and consistently and effectively detect and mitigate exploitation attempts."

The suspected exploitation of this Windows vulnerability by Black Basta underscores how ransomware operators continuously search for fresh vulnerabilities to exploit before patches are available. Prompt patch deployment, strong threat monitoring capabilities, and comprehensive defense strategies are critical to mitigating such attacks leveraging the latest vulnerabilities and evolving criminal tactics.

Follow SecureWorld News for more stories related to cybersecurity.

Comments