Recent findings by Symantec researchers indicate that the Black Basta ransomware group, associated with the Cardinal cybercriminal syndicate, may have leveraged a Windows zero-day vulnerability (CVE-2024-26169) before it was patched in March 2024. This vulnerability affects the Windows Error Reporting Service and allows attackers to potentially gain SYSTEM privileges on compromised systems. Microsoft initially patched the vulnerability during its March Patch Tuesday release, stating no prior evidence of exploitation in the wild.
During investigations into a recent ransomware attack attempt, Symantec’s Threat Hunter Team uncovered an exploit tool linked to Black Basta that targeted CVE-2024-26169. Although the attackers did not successfully deploy ransomware in this instance, the tactics used closely mirrored those detailed in recent reports on Black Basta’s activities. These tactics included masquerading malicious batch scripts as legitimate software updates, a common method to deceive users and execute malicious payloads.
The exploit tool analyzed by Symantec takes advantage of a specific flaw in the “werkernel.sys” file’s handling of registry key security descriptors. By exploiting this flaw, the tool creates a registry key that enables the execution of arbitrary code with administrative privileges on the affected system. Symantec identified two variants of this exploit tool, both compiled months before Microsoft released the official patch.
While executable timestamps can be altered, the timing of the compilations—February 27, 2024, and December 18, 2023—strongly suggests that the Black Basta group may have possessed and utilized the exploit before it became publicly known. This discovery underscores the ongoing challenges in defending against sophisticated cyber threats and highlights the critical need for timely patching and robust cybersecurity measures to mitigate such risks effectively.
Reference:
