Analysis Suggests Black Basta Ransomware Group Used Unpatched Windows Vulnerability tracked as CVE-2024-26169 that impacts the Windows Error Reporting service.
Research from cybersecurity firm Symantec suggests that the threat group behind the Black Basta ransomware may have exploited an unpatched zero-day vulnerability in Windows prior to a patch being released by Microsoft.
The vulnerability in question is tracked as CVE-2024-26169 and impacts the Windows Error Reporting service. It allows for elevation of privileges that could enable attackers to achieve full system access on impacted systems. Microsoft rated the severity of the bug as “Important” and assigned it a CVSS score of 7.8 out of 10.
Symantec researchers analyzed an exploit tool that was used in ransomware attacks related to the Black Basta ransomware operation. The tool was compiled on February 27th, 2024 according to metadata, which was several weeks before Microsoft patched the Windows Error Reporting service vulnerability in March 2024.
Another sample of the exploit tool found on VirusTotal had a compilation timestamp of December 18th, 2023, further suggesting the vulnerability was leveraged prior to the patch release.
The tool abuses how the “WerFault.exe” executable handles registry keys to insert its own path as the “Debugger” value, allowing it to launch a command prompt with elevated SYSTEM privileges on the target system.
Black Basta Ransomware Group Uses Legitimate Tools in Attacks
The threat group behind Black Basta ransomware, also known as Cardinal, Storm-1811, and UNC4393, often weaponizes legitimate system utilities and applications as initial entry points.
Recent tactics observed include using Microsoft Teams for social engineering attempts by impersonating IT staff. This leads to the misuse of the Quick Assist remote support tool pre-installed on Windows 10 and later versions to remotely access victims’ systems. From there, password stealing tools like EvilProxy may be deployed.
Ransomware Epidemic Continued Growth in 2023 Despite 2022 Dip
Mandiant researchers note that the overall ransomware epidemic seemed to see a resurgence in 2023 after a slight dip in reported incidents in 2022. Data leaked from Conti ransomware gang chat logs and the Ukraine war were potential factors in the temporary 2022 decline.
However, ransomware posts on data leak sites grew by 75% from 2022 to 2023 according to Mandiant. Ransom payments also increased, reaching over $1.1 billion last year compared to just $567 million in 2022. This underscores the ongoing threat posed by cybercriminal ransomware operations like the one using Black Basta ransomware.
Microsoft Comments on Incident and Urges Patching of Vulnerabilities
When asked about the exploitation of CVE-2024-26169 potentially as a zero-day, a Microsoft spokesperson said that:
“This issue was addressed in March, and customers who apply the fix are protected. Our security software also includes detections to protect against the malware.”
This emphasizes the importance of promptly patching known Windows vulnerabilities. Doing so helps prevent threat groups like the operators of Black Basta ransomware from taking advantage of unfixed flaws to enable further malicious activities.