Recent investigations by Symantec suggest that threat actors associated with the Black Basta ransomware may have capitalized on a newly disclosed zero-day vulnerability in the Microsoft Windows Error Reporting Service.
The flaw, identified as CVE-2024-26169 with a CVSS score of 7.8, facilitated privilege escalation, potentially granting attackers system privileges. Although the vulnerability was patched by Microsoft in March 2024, evidence suggests that at least one group was zero-daying the vulnerability before the patch was released.
The group, known as Cardinal, Storm-1811, or UNC4393, is primarily motivated by financial gain. Their modus operandi involves deploying the Black Basta ransomware, often exploiting initial access gained by other threat actors like QakBot and DarkGate. Recent operations have demonstrated the use of legitimate Microsoft tools such as Quick Assist and Microsoft Teams to infiltrate target systems.
Exploiting Legitimate Software for Malicious Ends
Utilizing Microsoft Teams, the threat actors impersonate IT or help desk personnel, strategically initiating calls and sending messages to deceive users. This manipulation often leads to the misuse of Quick Assist, whereby they exploit the tool’s remote assistance capabilities. Following this, they proceed to conduct credential theft using EvilProxy, which facilitates the interception of sensitive login information. Subsequently, they execute malicious batch scripts to enhance their access, ultimately establishing persistence and enabling command and control through SystemBC.
Insights from Symantec
Symantec observed the exploit tool in action during an attempted ransomware attack, though unsuccessfully. The tool capitalizes on a loophole within the Windows file werkernel.sys, exploiting a null security descriptor to create a registry key that grants administrative privileges. Metadata analysis indicates that threat actors compiled the tool before Microsoft addressed the vulnerability, highlighting their potential exploitation of the zero-day flaw.
Coinciding with these developments is the emergence of a new ransomware variant, DORRA, a member of the Makop malware family. This resurgence in ransomware activity follows a slight dip observed in 2022, as highlighted by data leak site posts monitored by Google-owned Mandiant. The figures reflect a substantial increase in ransom payments.
Mandiant attributes the resurgence to various factors, including the stabilization of the cybercriminal landscape post-2022 disruptions, the entry of new threat actors, and the introduction of new partnerships and ransomware services by previously established groups.
Check out more cybersecurity articles
