Recent investigations by Symantec suggest that operatives connected to the Black Basta ransomware may have exploited a newly disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day vulnerability.
The security vulnerability, identified as CVE-2024-26169 (CVSS score: 7.8), is an elevation of privilege bug in the Windows Error Reporting Service that can be exploited to gain SYSTEM-level privileges. Microsoft patched this vulnerability in March 2024.
“Examination of an exploit tool used in recent attacks indicates it might have been created before the patch was issued, implying that at least one group may have been exploiting the vulnerability as a zero-day,” the Symantec Threat Hunter Team, a branch of Broadcom, stated in a report shared with The Hacker News.
The financially motivated threat group is tracked under the moniker Cardinal and is also known as Storm-1811 and UNC4393.
This group is known to capitalize on access by deploying the Black Basta ransomware, typically using initial access obtained by other attackers – initially through QakBot and later through DarkGate – to penetrate target environments.
In recent months, this threat actor has been noted for utilizing legitimate Microsoft tools such as Quick Assist and Microsoft Teams as vectors for attacks.
“The threat actor uses Teams to send messages and initiate calls, attempting to impersonate IT or help desk personnel,” Microsoft noted. “This activity leads to the misuse of Quick Assist, followed by credential theft using EvilProxy, execution of batch scripts, and the deployment of SystemBC for persistence and command and control.”
Symantec observed the exploit tool in the context of an attempted, but ultimately unsuccessful, ransomware attack.
The tool “exploits the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys,” Symantec explained.
“The exploit uses this to create a ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe’ registry key, setting the ‘Debugger’ value as its own executable path. This allows the exploit to launch a shell with administrative privileges.”
Metadata analysis of the artifact revealed a compilation date of February 27, 2024, several weeks before Microsoft addressed the vulnerability. Another sample found on VirusTotal had a compilation timestamp of December 18, 2023.
Although threat actors often modify the timestamps of files and directories on compromised systems to hide their activities or hinder investigations – a method known as timestomping – Symantec noted that there are likely few reasons for doing so in this instance.
This development coincides with the rise of a new ransomware variant called DORRA, a derivative of the Makop malware family, as ransomware attacks continue to resurge after a decline in 2022.
According to Google-owned Mandiant, the ransomware crisis saw a 75% increase in posts on data leak sites, with more than $1.1 billion paid to attackers in 2023, up from $567 million in 2022 and $983 million in 2021.
“This demonstrates that the slight decrease in extortion activity observed in 2022 was an anomaly, possibly due to events like the invasion of Ukraine and the leaked Conti chats,” the company said.
“The current resurgence in extortion activity is likely driven by various factors, including the reorganization of the cybercriminal ecosystem following a tumultuous year in 2022, the emergence of new actors, and new partnerships and ransomware service offerings by previously prolific groups that had been disrupted.”
