Adrian Johnson
TLDR:
- The Black Basta ransomware gang may have exploited a Windows privilege escalation bug as a zero-day before it was patched.
- Symantec’s analysis suggests that the malware could achieve total control of targeted Windows machines.
The article discusses how the Black Basta ransomware gang potentially exploited a Windows privilege escalation bug, tracked as CVE-2024-26169, as a zero-day before Microsoft issued a patch in March. Symantec’s threat hunters indicated that the malicious code used by the ransomware crew may have been compiled before the patch was released, allowing attackers to elevate privileges to the SYSTEM level during an attack. This exploit was linked to a recent ransomware infection attempt, which failed but had similarities to a previous Black Basta campaign documented by Microsoft in May. The Black Basta gang, also known as Storm-1811, used social engineering tactics to trick organizations into granting them access to systems, deploying ransomware using batch scripts disguised as software updates.
Symantec’s analysis of the exploit revealed that it took advantage of a null security descriptor in Windows’ werkernel.sys to create a registry key that would start a shell with administrative privileges. The exploit used in the attack was time-stamped before the patch release, suggesting it was potentially exploited as a zero-day. While Microsoft has not confirmed if CVE-2024-26169 was exploited as a zero-day, Symantec’s findings raise concerns about the possible exploitation of the Windows bug by cybercriminals.
