Dark Basta Ransomware Might Have Capitalized on MS Windows Zero-Day Vulnerability
Hackers associated with the Dark Basta ransomware might have taken advantage of a newly disclosed privilege escalation glitch in the Microsoft Windows Error Reporting Service as a zero-day exploit, as per fresh insights from Symantec.
The security vulnerability in question is CVE-2024-26169 (CVSS score: 7.8), an elevation of privilege flaw in the Windows Error Reporting Service that could be utilized to acquire SYSTEM privileges. Microsoft had addressed it in March 2024.
“Investigation into an exploitation tool used in recent assaults revealed indications that it might have been compiled before the patch, indicating that at least one group could have been exploiting the bug as a zero-day vulnerability,” the Symantec Threat Hunter Team, a division of Broadcom, mentioned in a report shared with The Hacker News.
The financially-driven threat group is being monitored by the corporation under the moniker Cardinal, also identified as Storm-1811 and UNC4393.
It is known for capitalizing on access by deploying the Dark Basta ransomware, typically utilizing initial access secured by other bad actors – initially QakBot and then DarkGate – to intrude target environments.
In recent times, the criminal party has been observed using authorized Microsoft tools like Quick Assist and Microsoft Teams as avenues for attacking users.
“The malicious group makes use of Teams to dispatch messages and begin calls in an effort to mimic IT or help desk personnel,” Microsoft stated. “This endeavor leads to Quick Assist misuse, followed by credential theft using EvilProxy, running of batch scripts, and usage of SystemBC for continuity and command and control.”
Symantec mentioned that it witnessed the exploitation tool being employed in a failed ransomware attempt.
The tool “leverages the fact that the Windows file werkernel.sys employs a null security descriptor when establishing registry keys,” it clarified.
“The exploit capitalizes on this aspect to set up a ‘HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWerFault.exe’ registry key where it designates the ‘Debugger’ value as its own executable path. This empowers the exploit to commence a shell with administrator privileges.”
Analysis of metadata of the artifact indicates that it was compiled on February 27, 2024, a few weeks before Microsoft tackled the flaw, while another sample found on VirusTotal had a compilation timestamp of December 18, 2023.
Despite threat actors frequently modifying the timestamps of files and folders on a breached system to hide their activities or obstruct investigations – a method known as timestomping – Symantec highlighted that there are likely very limited reasons for doing so in this scenario.
This development coincides with the emergence of a new ransomware breed dubbed DORRA, which is a variant of the Makop malware family, as ransomware incidents persist with a resurgence of sorts following a slump in 2022.
Per Google-owned Mandiant, the ransomware crisis saw a 75% surge in entries on data leak websites, with over $1.1 billion disbursed to miscreants in 2023, up from $567 million in 2022 and $983 million in 2021.
“This demonstrates that the minor decline in extortion activities noticed in 2022 was an anomaly, potentially due to events such as the Ukrainian conflict and the leaked Conti messages,” the corporation stressed.
“The current uptick in extortion activities is likely fueled by multiple factors, including the reestablishment of the cybercriminal ecosystem after a turbulent 2022, fresh players, and new alliances and ransomware services provided by groups previously linked with prominent entities that had been disbanded.”
About Author
