Saturday, November 23, 2024

The Black Basta ransomware group could be leveraging a Microsoft zero-day vulnerability

Users have been warned that a vulnerability in the Microsoft Windows Error Reporting Service, known as CVE-2024-26169, was exploited as a zero-day by the Black Basta ransomware gang before being patched in the March 2024 Patch Tuesday update. Despite being rated as Important in severity and assigned a CVSS base score of 7.8, the vulnerability went relatively unnoticed at the time. However, Symantec’s Threat Hunter team has identified and analyzed an exploit tool for CVE-2024-26169 that was used in recent attacks prior to the patch being implemented, retroactively classifying the vulnerability as a zero-day.

The exploit tool takes advantage of a specific file, werkernel.sys, and a registry key vulnerability to elevate privileges and create a shell with admin rights. Two variants of the tool were discovered, compiled on 18 December 2023 and 27 February 2024. Despite the possibility of time stamp values being altered, Symantec believes that the Black Basta gang is behind the exploit given their history of attacks.

Experts emphasize the importance of promptly addressing vulnerabilities to avoid exploitation by cyber criminals. Kevin Robertson, COO at Acumen, highlighted the necessity for software vendors to continuously search for and fix vulnerabilities to protect customers from serious risks. Organizations are urged to prioritize patching CVE-2024-26169 to prevent potential compromises by threat actors like Black Basta.