A cybercrime group known as Cardinal, also referred to as Storm-1811 and UNC4393, has been implicated in the exploitation of a Windows privilege escalation vulnerability. This vulnerability, identified as CVE-2024-26169, affects the Windows Error Reporting Service and could allow an attacker to elevate their privileges on affected systems. The vulnerability was patched by Microsoft on March 12, 2024, but evidence suggests that it may have been exploited as a zero-day by at least one group before the patch was released.
CVE-2024-26169 is a security flaw found in the Windows Error Reporting Service. If exploited, it allows an attacker to elevate their privileges on a system. This vulnerability was patched on March 12, 2024, with Microsoft initially indicating no known exploitation in the wild. However, further analysis revealed that an exploit tool compiled before the patch date was used, suggesting zero-day exploitation by malicious actors.
Black Basta Connection
The deployment of the exploit tool was linked to a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team. Although the attackers did not succeed in deploying a ransomware payload, the tactics employed closely matched those described in a Microsoft report on Black Basta ransomware activities. These tactics included using batch scripts disguised as software updates, pointing towards a likely failed Black Basta attack.
The exploit tool leveraged the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys. This characteristic allows the creation of subkeys with “Creator Owner” access control, making the current process user the owner of all subkeys. By creating a specific registry key and setting the “Debugger” value to its executable path, the exploit starts a shell with administrative privileges. Variants of the tool had compilation timestamps from February and December 2023, indicating potential zero-day exploitation.
Details of Exploit Tool
Further analysis revealed that the tool exploits the Windows file werkernel.sys, which uses a null security descriptor. This exploitation allows the creation of a registry key where the “Debugger” value is set to the attacker’s executable path, granting administrative privileges. Two variants of the tool were found, with timestamps suggesting they were compiled before the vulnerability was patched, although timestamp manipulation is possible.
– The Windows Error Reporting Service vulnerability CVE-2024-26169 allows privilege escalation.
– Black Basta’s tactics included using batch scripts as software updates in attacks.
– Evidence suggests exploitation of the vulnerability before the March 2024 patch.
Cardinal, the group behind Black Basta ransomware, introduced it in April 2022. Initially linked with the Qakbot botnet, which was taken down in August 2023, Black Basta saw reduced activity temporarily. However, Cardinal resumed attacks, now using the DarkGate loader to access potential victims’ systems. The shift in infection vectors indicates adaptation by cybercriminals in response to law enforcement actions.
The recent findings of exploited Windows vulnerabilities by the Cardinal group highlight ongoing security challenges. Despite timely patches and law enforcement efforts, cybercriminals continue to adapt and find new methods of attack. It underscores the importance of continuous monitoring and updating of security measures to counteract these evolving threats. The adaptability of groups like Cardinal and their use of zero-day vulnerabilities emphasize the need for organizations to remain vigilant and proactive in their cybersecurity strategies.
