Researchers from Symantec have uncovered that attackers associated with the Black Basta ransomware group were likely exploiting a recently identified vulnerability in Windows Error Reporting (Wer) to escalate system privileges. This vulnerability, known as CVE-2024-26169, was patched in March 2024.
The CVE-2024-26169 vulnerability is rated at 7.8 on the CVSS scale for privilege escalation, allowing attackers to gain system administrator rights. Analysis of the attack tool used in recent incidents suggests that it was being actively used as a zero-day vulnerability until the patch was released.
Symantec has been tracking the financially motivated group known as Cardinal, Storm-1811, or UNC4393, who utilize Black Basta to profit from system access. The attackers typically gain initial access through Qakbot and DarkGate.
In recent months, the group has been using legitimate Microsoft products like Quick Assist and Teams to target users. They impersonate IT personnel in Teams messages and calls, leading to unauthorized use of Quick Assist, data theft using EvilProxy, and maintaining access using Systembc.
Symantec also observed the unsuccessful use of the Mount Program in an attack, where attackers leveraged the WerkerNel.sys file to create registry keys with a zero security descriptor, enabling the execution of commands with admin rights.
Details from the Black Basta instances indicate that the ransomware was compiled on February 27, 2024, just weeks before the vulnerability was patched. Another sample found on Virustotal was compiled on December 18, 2023.
Microsoft confirmed that the vulnerability was addressed in March, protecting customers who applied the patch. Corporate security software includes detection and protection mechanisms against such threats.
The potential exploitation of CVE-2024-26169 as a zero-day vulnerability through Black Basta could have led to severe consequences, granting unauthorized access to critical systems and data, disrupting the operations of numerous organizations. Luckily, Microsoft’s swift action prevented widespread attacks, underscoring the importance of cybersecurity measures.