Black Basta ransomware linked to exploited Windows zero-day

Black Basta ransomware has been exploiting a recently patched Windows privilege escalation to deploy attacks even before the patch, researchers from Symantec believe.

The vulnerability, labeled CVE-2024-26169, affects the Windows Error Reporting Service. It was patched on March 12th, and, at the time, Microsoft said there was no evidence of its exploitation in the wild.

Now, the Symantec analysis reveals that in recent attacks, Black Basta ransomware deployed a tool exploiting the vulnerability for privilege escalation.

“It could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day,” Symantec’s Threat Hunter Team said. “If exploited on affected systems, it can permit an attacker to elevate their privileges.”

In the analyzed attempted ransomware attack, malicious actors with tactics similar to Black Basta’s failed to deploy the ransomware payload. Further investigation of the exploit tool revealed that it takes advantage of the fact that the ‘werkernel.sys’ uses “a null security descriptor when creating registry keys.”

This allows the malicious tool to create new registry keys and set the “Debugger” value as an executable pathname for a specific program “WerFault.exe.” By doing this, the tool tricks Windows into running the malware with administrative privileges.

At least a few variants of the tool were discovered on Virus Total before the vulnerability was patched.

Black Basta ransomware was introduced by the Cardinal cybercrime group, also known as Storm-1811, in April 2022.

“From its inception, the ransomware was closely associated with the Qakbot botnet, which appeared to be its primary infection vector. Qakbot was one of the world’s most prolific malware distribution botnets until it was taken down following law enforcement action in August 2023,” Symantec describes.

However, Black Basta resumed operations and now appears to have switched to the operators of the DarkGate loader to gain access to potential victims.

According to US cyber authorities, Black Basta Ransomware affiliates have impacted over 500 private industry and critical infrastructure entities worldwide, including healthcare. After the breach of Ascension Health systems, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and other agencies released an advisory for network defenders.