Adrian Johnson
TLDR:
Key Points:
- The Cardinal cybercrime group, also known as Storm-1811, may have exploited a Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day to deploy the Black Basta ransomware.
- An exploit tool used in a recent attempted ransomware attack revealed evidence of this exploitation, despite Microsoft patching the vulnerability on March 12, 2024.
In a recent cyber threat, the Cardinal cybercrime group, operating as Black Basta ransomware, potentially exploited a Windows zero-day privilege escalation vulnerability. The vulnerability, identified as CVE-2024-26169, affects the Windows Error Reporting Service and allows attackers to elevate their privileges on affected systems. Although Microsoft patched the vulnerability in March, an exploit tool used in a recent attack indicates that the group may have deployed the exploit as a zero-day prior to the patch.
Symantec’s Threat Hunter Team investigated a ransomware attack attempt that exhibited similarities in tactics, techniques, and procedures to previous Black Basta activities. The exploit tool utilized a specific technique involving the Windows file werkernel.sys to create a registry key and execute shell commands with administrative privileges. The tool’s compilation timestamps suggest that the attackers may have utilized the exploit before the patch was released.
Cardinal, the group behind Black Basta, initially collaborated with the Qakbot botnet for malware distribution until law enforcement action led to the botnet’s takedown in August 2023. Despite a temporary decrease in activity, Cardinal has since resumed attacks and partnered with DarkGate loader operators to target potential victims. This shift indicates the group’s adaptability and persistence in carrying out ransomware attacks.
The evolving tactics of cybercriminal groups underscore the importance of timely patching, threat intelligence monitoring, and cybersecurity awareness to mitigate the risks posed by zero-day vulnerabilities and ransomware attacks.
