The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests.
Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix.
Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching.
The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.
Black Basta’s Privilege Escalation Bug Exploitation
The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said.
These TTPs included the use of batch scripts disguised as software updates, the researchers added.
Black Basta Exploit Tool Analysis
The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained.
Two variants of the tool analyzed:
- Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
- Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.
While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.
Indicators of Compromise
Symantec shared the following IoCs:
4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool
b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool
a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script
3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script
2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script
b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect
About Black Basta Ransomware
The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta’s affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022.
An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.
