CVE-2024-26169: Windows Zero-Day Vulnerability Abused by Black Basta Ransomware
In a recent investigation, Symantec’s Threat Hunter Team has identified evidence suggesting that the Black Basta ransomware group may have exploited a previously unknown vulnerability (CVE-2024-26169) in the Windows Error Reporting Service. This zero-day vulnerability, which allows for privilege escalation on compromised systems, was patched in March 2024. However, forensic analysis of an exploit tool used in a recent failed ransomware attack, bearing the distinct hallmarks of Black Basta’s TTPs, revealed a compilation timestamp preceding the patch date.
The Cardinal cybercrime group, also known as Storm-1811 or UNC4393, has been linked to the operation of the Black Basta ransomware. This ransomware, which first emerged in April 2022, has wreaked havoc on numerous systems worldwide. Initially, Black Basta was closely associated with the Qakbot botnet, a major malware distribution network. However, following a significant law enforcement takedown of Qakbot in August 2023, the group has shifted tactics and now collaborates with the operators of the DarkGate loader to continue their malicious activities.
The crux of the recent findings revolves around the Windows Error Reporting Service vulnerability, identified as CVE-2024-26169. This flaw allows attackers to elevate their privileges on affected systems, providing a gateway to more severe exploits. Microsoft patched this vulnerability on March 12, 2024, asserting at the time that there was no evidence of its exploitation in the wild.
Despite Microsoft’s assurances, Symantec’s analysis of an exploit tool used in a recent attack suggests otherwise. The tool’s compilation date, February 27, 2024—several weeks before the vulnerability was patched—indicates that the attackers may have been exploiting it as a zero-day. Further supporting this theory is the discovery of an even earlier variant of the tool, compiled on December 18, 2023.
The exploit tool takes advantage of a weakness in the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. This flaw allows attackers to create a specific registry key and set a “Debugger” value, enabling them to start a shell with administrative privileges. The tool’s sophistication and the strategic timing of its deployment strongly point to pre-patching exploitation.
Symantec’s investigation revealed that the exploit tool was deployed during a recent attempted ransomware attack. Although the attackers failed to deploy the ransomware payload, the tactics, techniques, and procedures (TTPs) used bore a striking resemblance to those documented in a recent Microsoft report on Black Basta’s activities. These TTPs included the use of batch scripts disguised as software updates.
The strong similarities in TTPs lead to the conclusion that this was likely a failed Black Basta attack. The attackers’ ability to compile and deploy such an exploit tool before the vulnerability’s patching underscores the sophistication and persistence of their operations.
