Exploiting CVE-2024-26169
Symantec recently uncovered an attempted ransomware attack that shed light on the exploitation of CVE-2024-26169 by the notorious Black Basta gang. This cybercriminal group, known for its affiliation with the Cardinal cybercrime group, utilized an exploit tool for the Windows privilege escalation vulnerability to gain unauthorized access to compromised systems.
The attack began with the deployment of the DarkGate loader, a tool favored by Black Basta following the QakBot takedown. Analysts identified the attackers’ use of batch scripts disguised as software updates to execute malicious commands and establish persistence on the targeted systems, a tactic commonly employed by the group.
The exploit tool took advantage of a flaw in the Windows Error Reporting Service, specifically targeting the null security descriptor used by the werkernel.sys file to create registry keys. By creating a registry key and setting the “Debugger” value to its own executable pathname, the tool was able to launch a shell with SYSTEM privileges, allowing the attackers to escalate their access.
Symantec’s investigation revealed that one variant of the exploit tool had a compilation timestamp dating back to February 27, 2024, indicating that Black Basta had a functioning exploit tool in their arsenal well before Microsoft released a fix for the vulnerability in March. While the possibility of tampered timestamps exists, the lack of motivation for the attackers to falsify this information makes it unlikely.
Black Basta’s history of leveraging Windows tools and their deep understanding of the platform have made them a formidable threat in the cybersecurity landscape. With a track record of high-volume breaches and substantial ransom payments, the group’s activities have drawn attention from authorities and security experts alike.
To protect against potential attacks exploiting CVE-2024-26169, it is crucial for organizations to promptly apply the latest Windows security updates and adhere to the guidelines provided by CISA. By staying vigilant and implementing robust cybersecurity measures, businesses can safeguard themselves against threats posed by sophisticated ransomware operations like Black Basta.