Analysis Summary

The Black Basta ransomware operation is suspected of exploiting a high-severity Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day before a fix was released on March 12, 2024.

This flaw in the Windows Error Reporting Service allows attackers to elevate privileges to SYSTEM, making it a critical issue (CVSS score: 7.8). Despite Microsoft indicating no active exploitation on their vendor page, Researchers reported that the Cardinal cybercrime group (also known as Storm-1811 or UNC4394) actively exploited this vulnerability, linking the activity to Black Basta.

The investigation into an attempted ransomware attack revealed that the exploit tool for CVE-2024-26169 was deployed after an initial infection by the DarkGate loader which Black Basta has utilized since the QakBot takedown. The attackers used batch scripts posing as software updates to run malicious commands and establish persistence, a tactic commonly associated with Black Basta. The exploit tool took advantage of the werkernel.sys file's null security descriptor, allowing the creation of a registry key and setting the "Debugger" value to its executable pathname to launch a shell with SYSTEM privileges.

The investigation showed that one variant of the exploit tool had a compilation timestamp of February 27, 2024, and another dated December 18, 2023, indicating that Black Basta had a functioning exploit well before the patch release. While timestamps can be altered, researchers believe it unlikely in this case suggesting that Black Basta used the vulnerability as a zero-day. This operation is linked to the Conti cybercrime syndicate and has shown significant proficiency in leveraging Windows tools contributing to over 500 breaches since its inception in April 2022.

To mitigate the risks posed by Black Basta's exploitation of this vulnerability, it is crucial to apply the latest Windows security updates and adhere to the guidelines provided by CISA. Black Basta's activity highlights the importance of timely security updates and the continuous threat posed by sophisticated ransomware groups capable of significant financial impact, as evidenced by their reported $100 million in ransom payments.

Impact

• Sensitive Data Theft
• File Encryption
• Privilege Escalation
• Financial Loss

Indicators of Compromise

MD5

• f17918862a190afd4649b2a6b4a34b5c
• acaf01f83da439915027c3e2e900c8dd
• 1984cd0bf7b20c5bef58338f80e4e65e
• ff217dab57393592c6767de1c6a999eb

SHA-256

SHA1

• 4ea121b4b45bab1e17fae11c8cce30241f5f8a75
• 2861b4e463fa89e05f2d7d629fae5140cef49843
• b4b5963c62c07c2adcee093571afd0e9e765de3b
• cc580c52f4263803255d65dfb6ab208be7f4a534

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update all software and systems to ensure vulnerabilities are patched promptly.
• Implement robust email filtering to block phishing attempts that may deliver initial infection loaders like DarkGate.
• Utilize advanced endpoint detection and response (EDR) tools to identify and block suspicious activities.
• Conduct regular security audits and vulnerability assessments to identify and mitigate potential security gaps.
• Employ least privilege principles, ensuring users and applications have the minimum necessary access rights.
• Enable multi-factor authentication (MFA) to add a layer of security to user accounts.
• Monitor network traffic for unusual activities that could indicate the presence of malware or unauthorized access.
• Educate employees on recognizing phishing emails and safe online practices to reduce the risk of initial infection.
• Establish and test incident response plans to ensure rapid containment and recovery in the event of ransomware.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.