Experts believe that CVE-2024-26169 could have been exploited for a long time as a 0day vulnerability.
Symantec researchers have found that attackers associated with the Black Basta ransomware were likely exploiting a newly discovered vulnerability in the Windows Error Reporting (WER) service to gain elevated system privileges. This vulnerability, known as CVE-2024-26169, was patched by Microsoft in March 2024.
CVE-2024-26169 is a privilege escalation vulnerability with a CVSS score of 7.8. It allows attackers to gain system administrator rights. Analysis of the exploit tool used in recent attacks showed that compilation may have completed before the vulnerability was patched, indicating that it was used as a zero - day vulnerability .
Symantec is tracking this financially motivated group called Cardinal, also known as Storm-1811 and UNC4393. These attackers use Black Basta to monetize access to systems, often gaining initial access through QakBot and DarkGate.
In recent months, the group has been using legitimate Microsoft products such as Quick Assist and Teams to attack users. According to Microsoft, attackers are sending messages and calls through Teams pretending to be IT staff, leading to the misuse of Quick Assist, credential theft using EvilProxy, and using SystemBC to provide persistent access and command control.
Symantec also said it observed the tool being used in a failed ransomware attack attempt. Attackers use the "werkernel.sys" file, which creates registry keys with a null security descriptor. This allows you to create a registry key that starts a command shell with administrative rights.
Metadata for the Black Basta instance in question shows that it was compiled on February 27, 2024, several weeks before the CVE-2024-26169 vulnerability was patched. Another sample found on VirusTotal even had a compilation mark dated December 18, 2023.
A Microsoft spokesperson confirmed that the issue was resolved in March and customers who installed the fix are protected. Proprietary security software includes tools to detect and protect against this malware.
The potential use of CVE-2024-26169 as a zero-day vulnerability and deployment of a Black Basta instance using it could have had catastrophic consequences. This would allow attackers to gain complete unauthorized access to critical systems and data, paralyzing the work of many organizations.
Fortunately, Microsoft's timely patch prevented major attacks, but the incident serves as a stark reminder of the growing importance of protecting against cyber threats.
Symantec researchers have found that attackers associated with the Black Basta ransomware were likely exploiting a newly discovered vulnerability in the Windows Error Reporting (WER) service to gain elevated system privileges. This vulnerability, known as CVE-2024-26169, was patched by Microsoft in March 2024.
CVE-2024-26169 is a privilege escalation vulnerability with a CVSS score of 7.8. It allows attackers to gain system administrator rights. Analysis of the exploit tool used in recent attacks showed that compilation may have completed before the vulnerability was patched, indicating that it was used as a zero - day vulnerability .
Symantec is tracking this financially motivated group called Cardinal, also known as Storm-1811 and UNC4393. These attackers use Black Basta to monetize access to systems, often gaining initial access through QakBot and DarkGate.
In recent months, the group has been using legitimate Microsoft products such as Quick Assist and Teams to attack users. According to Microsoft, attackers are sending messages and calls through Teams pretending to be IT staff, leading to the misuse of Quick Assist, credential theft using EvilProxy, and using SystemBC to provide persistent access and command control.
Symantec also said it observed the tool being used in a failed ransomware attack attempt. Attackers use the "werkernel.sys" file, which creates registry keys with a null security descriptor. This allows you to create a registry key that starts a command shell with administrative rights.
Metadata for the Black Basta instance in question shows that it was compiled on February 27, 2024, several weeks before the CVE-2024-26169 vulnerability was patched. Another sample found on VirusTotal even had a compilation mark dated December 18, 2023.
A Microsoft spokesperson confirmed that the issue was resolved in March and customers who installed the fix are protected. Proprietary security software includes tools to detect and protect against this malware.
The potential use of CVE-2024-26169 as a zero-day vulnerability and deployment of a Black Basta instance using it could have had catastrophic consequences. This would allow attackers to gain complete unauthorized access to critical systems and data, paralyzing the work of many organizations.
Fortunately, Microsoft's timely patch prevented major attacks, but the incident serves as a stark reminder of the growing importance of protecting against cyber threats.
