Black Basta Actors Exploited Windows Zero-day Privilege Escalation Vulnerability

The Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may have been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day.

CVE-2024-26169: The Vulnerability

The vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service.

EHA

If exploited on affected systems, an attacker can elevate their privileges.

The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild.

However, analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled before patching, meaning at least one group may have exploited the vulnerability as a zero-day.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team.

Although the attackers failed to deploy a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) were highly similar to those described in a recent Microsoft report detailing Black Basta activity.

These included the use of batch scripts masquerading as software updates.

Although no payload was deployed, the similarities in TTPs make it highly likely it was a failed Black Basta attack.

Exploit Tool

Analysis of the exploit tool revealed that it takes advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys.

Because the parent key has a “Creator Owner” access control entry (ACE) for subkeys, users of the current process will own all subkeys.

The exploit takes advantage of this to create a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key where it sets the “Debugger” value as its executable pathname.

This allows the exploit to start a shell with administrative privileges.

The variant of the tool used in this attack (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63) had a compilation timestamp of February 27, 2024, several weeks before the vulnerability was patched.

A second variant of the tool discovered on Virus Total (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0) had an earlier compilation timestamp of December 18, 2023.

Timestamp values in portable executables are adjustable, which means that a timestamp is not conclusive evidence that the attackers were using the exploit as a zero-day.

However, in this case, there appears to be little motivation for the attackers to change the time stamp to an earlier date.

Cardinal introduced Black Basta in April 2022, and from its inception, the ransomware was closely associated with the Qakbot botnet, which appeared to be its primary infection vector.

Qakbot was one of the world’s most prolific malware distribution botnets until it was taken down in August 2023 following law enforcement action.

However, while the takedown led to a dip in Black Basta activity, Cardinal has since resumed attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.