Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day Vulnerability

June 12, 2024

The Black Basta ransomware group is suspected of exploiting a Windows privilege escalation vulnerability, CVE-2024-26169, before a patch was made available. This high-severity flaw in the Windows Error Reporting Service allowed the attackers to elevate their privileges to SYSTEM. Microsoft addressed the vulnerability on March 12, 2024, through its monthly Patch Tuesday updates. While Microsoft's vendor page indicated no active exploitation, a Symantec report suggests that the Cardinal cybercrime group, which operates Black Basta, likely used the flaw as a zero-day.

The report came after Symantec's investigation of a ransomware attack attempt, where an exploit tool for CVE-2024-26169 was deployed after an initial infection by the DarkGate loader, a tool Black Basta has been using since the QakBot takedown. The analysts suspect a link to Black Basta due to the use of batch scripts that disguise as software updates to run malicious commands and maintain persistence on compromised systems, a tactic commonly employed by this group.

The exploit tool took advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys. It exploited this to create a registry key and set the 'Debugger' value to its own executable pathname, thereby launching a shell with SYSTEM privileges.

Symantec's findings revealed that one version of the exploit tool had a compilation timestamp of February 27, 2024, and another sample was built even earlier, on December 18, 2023. This suggests that Black Basta had a functional exploit tool between 14 and 85 days before Microsoft released a fix for the privilege elevation issue. Although timestamps in portable executables can be altered, making this finding inconclusive regarding zero-day exploitation, it appears unlikely that the attackers would have any reason to falsify the timestamps.

Black Basta, a ransomware operation thought to be connected to the now-defunct Conti cybercrime syndicate, has shown expertise in exploiting Windows tools and a deep understanding of the platform. An advisory from CISA and the FBI in May 2024 highlighted Black Basta's high-volume activity, attributing over 500 breaches to its affiliates since its launch in April 2022. Blockchain analytics firm Elliptic reported in November 2023 that the ransomware operation had accumulated over $100 million in ransom payments. To counteract Black Basta's exploitation of this vulnerability, it is crucial to install the latest Windows security update and adhere to CISA's guidelines.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.