Technology NewsTechnology NewsTechnology News
  • Computing
  • AI
  • Robotics
  • Cybersecurity
  • Electric Vehicle
  • Wearables
  • Gaming
  • Space
Reading: Cybercrime Group Exploits Windows Vulnerability
Share
Font ResizerAa
Technology NewsTechnology News
Font ResizerAa
Search
  • Computing
  • AI
  • Robotics
  • Cybersecurity
  • Electric Vehicle
  • Wearables
  • Gaming
  • Space
Follow US
  • Cookie Policy (EU)
  • Contact
  • About
© 2025 NEWSLINKER - Powered by LK SOFTWARE
Cybersecurity

Cybercrime Group Exploits Windows Vulnerability

Highlights

  • Cardinal exploited Windows CVE-2024-26169 vulnerability as a zero-day.

  • Black Basta ransomware tactics align with recent attack methods.

  • Cardinal uses DarkGate loader after Qakbot takedown.

Samantha Reed
Last updated: 12 June, 2024 - 3:15 pm 3:15 pm
Samantha Reed 12 months ago
Share
SHARE

A cybercrime group known as Cardinal, also referred to as Storm-1811 and UNC4393, has been implicated in the exploitation of a Windows privilege escalation vulnerability. This vulnerability, identified as CVE-2024-26169, affects the Windows Error Reporting Service and could allow an attacker to elevate their privileges on affected systems. The vulnerability was patched by Microsoft on March 12, 2024, but evidence suggests that it may have been exploited as a zero-day by at least one group before the patch was released.

Contents
Black Basta ConnectionDetails of Exploit Tool

CVE-2024-26169 is a security flaw found in the Windows Error Reporting Service. If exploited, it allows an attacker to elevate their privileges on a system. This vulnerability was patched on March 12, 2024, with Microsoft initially indicating no known exploitation in the wild. However, further analysis revealed that an exploit tool compiled before the patch date was used, suggesting zero-day exploitation by malicious actors.

Black Basta Connection

The deployment of the exploit tool was linked to a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team. Although the attackers did not succeed in deploying a ransomware payload, the tactics employed closely matched those described in a Microsoft report on Black Basta ransomware activities. These tactics included using batch scripts disguised as software updates, pointing towards a likely failed Black Basta attack.

The exploit tool leveraged the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys. This characteristic allows the creation of subkeys with “Creator Owner” access control, making the current process user the owner of all subkeys. By creating a specific registry key and setting the “Debugger” value to its executable path, the exploit starts a shell with administrative privileges. Variants of the tool had compilation timestamps from February and December 2023, indicating potential zero-day exploitation.

Details of Exploit Tool

Further analysis revealed that the tool exploits the Windows file werkernel.sys, which uses a null security descriptor. This exploitation allows the creation of a registry key where the “Debugger” value is set to the attacker’s executable path, granting administrative privileges. Two variants of the tool were found, with timestamps suggesting they were compiled before the vulnerability was patched, although timestamp manipulation is possible.

– The Windows Error Reporting Service vulnerability CVE-2024-26169 allows privilege escalation.
– Black Basta’s tactics included using batch scripts as software updates in attacks.
– Evidence suggests exploitation of the vulnerability before the March 2024 patch.

Cardinal, the group behind Black Basta ransomware, introduced it in April 2022. Initially linked with the Qakbot botnet, which was taken down in August 2023, Black Basta saw reduced activity temporarily. However, Cardinal resumed attacks, now using the DarkGate loader to access potential victims’ systems. The shift in infection vectors indicates adaptation by cybercriminals in response to law enforcement actions.

The recent findings of exploited Windows vulnerabilities by the Cardinal group highlight ongoing security challenges. Despite timely patches and law enforcement efforts, cybercriminals continue to adapt and find new methods of attack. It underscores the importance of continuous monitoring and updating of security measures to counteract these evolving threats. The adaptability of groups like Cardinal and their use of zero-day vulnerabilities emphasize the need for organizations to remain vigilant and proactive in their cybersecurity strategies.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Law Enforcement Shuts Down AVCheck to Block Cybercriminal Tool Access

FBI Arrests DIA Insider for Alleged Classified Info Leak

Senators Demand DHS Restore Cyber Safety Review Board After Hack

Treasury Department Stops Crypto Scam Network With Sanctions

Attackers Target Ivanti EPMM Flaws, Breaching Major Sectors

Share This Article
Facebook Twitter Copy Link Print
Samantha Reed
By Samantha Reed
Samantha Reed is a 40-year-old, New York-based technology and popular science editor with a degree in journalism. After beginning her career at various media outlets, her passion and area of expertise led her to a significant position at Newslinker. Specializing in tracking the latest developments in the world of technology and science, Samantha excels at presenting complex subjects in a clear and understandable manner to her readers. Through her work at Newslinker, she enlightens a knowledge-thirsty audience, highlighting the role of technology and science in our lives.
Previous Article Tesla Details Milestones and Optimus Robot Advancements
Next Article Tesla Shareholders Vote Separately from Brokerages

Stay Connected

6.2kLike
8kFollow
2.3kSubscribe
1.7kFollow

Latest News

Apple Launches Dedicated Gaming App as WWDC 2025 Approaches
Gaming
Robotics Innovations Drive Industry Forward at Major 2025 Trade Shows
Robotics
Iridium and Syniverse Deliver Direct-to-Device Satellite Connectivity
IoT
Wordle Players Guess “ROUGH” as June Begins With Fresh Puzzle
Gaming
SpaceX and Axiom Launch New Missions as Japan Retires H-2A Rocket
Technology
NEWSLINKER – your premier source for the latest updates in ai, robotics, electric vehicle, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Join us on our journey of discovery and stay informed in this ever-evolving digital age.

ARTIFICAL INTELLIGENCE

  • Can Artificial Intelligence Achieve Consciousness?
  • What is Artificial Intelligence (AI)?
  • How does Artificial Intelligence Work?
  • Will AI Take Over the World?
  • What Is OpenAI?
  • What is Artifical General Intelligence?

ELECTRIC VEHICLE

  • What is Electric Vehicle in Simple Words?
  • How do Electric Cars Work?
  • What is the Advantage and Disadvantage of Electric Cars?
  • Is Electric Car the Future?

RESEARCH

  • Robotics Market Research & Report
  • Everything you need to know about IoT
  • What Is Wearable Technology?
  • What is FANUC Robotics?
  • What is Anthropic AI?
Technology NewsTechnology News
Follow US
About Us   -  Cookie Policy   -   Contact

© 2025 NEWSLINKER. Powered by LK SOFTWARE
Welcome Back!

Sign in to your account

Register Lost your password?