HQ/EMEAFind out how we can help your business
The Black Basta ransomware operation has reportedly been exploiting a Windows privilege escalation vulnerability dubbed CVE-2024-26169 as a zero-day before developers released a patch.
The bug is a high-severity vulnerability in the Windows Error Reporting Service that enables attackers to escalate their privileges to SYSTEM. Microsoft patched the bug earlier this year through its monthly Patch Tuesday upgrades, and the company’s page displays no active exploitation.
However, recent research claimed that the Cardinal cybercrime organisation called Storm-1811 actively exploited the high-severity flaw. These attackers are the alleged operators of the Black Basta ransomware, and there is a significant probability they used the vulnerability as a zero-day.
Black Basta has employed other loaders to exploit the Windows flaw.
According to investigations, the attempted Black Basta ransomware assault first utilised the DarkGate loader in the initial exploit of CVE-2024-26169. The loader has been a primary weapon for Black Basta since the QakBot takedown.
The analysts also suggest that the attackers are linked to Black Basta because they employed batch scripts disguised as software updates to conduct malicious instructions and establish persistence on infected systems, which is a frequent approach for this group.
The reported exploit tool exploited the fact that the Windows file werkernel.sys creates registry keys with a null security descriptor. The utility uses this to generate a registry key and set the “Debugger” value to its executable pathname, allowing it to run a shell with SYSTEM privileges.
A separate investigation tested the exploit on a Windows 11 device that only had the February Windows security updates loaded before Microsoft fixed the bug in March. One of the findings is that one copy of the exploit tool has a compilation timestamp of February 2024, although a second sample was generated even earlier, in December 2023.
This detail suggests that Black Basta had a viable exploit kit for 14 to 85 days before Microsoft released a patch for the privilege escalation vulnerability.
While some studies agree that timestamps in portable executables can be altered and manipulated, attackers appear to have little incentive to falsify them, making this situation unlikely.
