Pitchy Basta Extortionware Might Have Utilized MS Windows Zero-Day Bug
Cybercriminals associated with the Pitchy Basta extortionware could have taken advantage of a recently revealed privilege escalation glitch in the Microsoft Windows Error Reporting Service as a zero-day, as per fresh findings from Symantec.
The security vulnerability in question is CVE-2024-26169 (CVSS score: 7.8), a privilege elevation flaw in the Windows Error Reporting Service that was exploitable to attain SYSTEM privileges. Microsoft had rectified it in March 2024.
“Examination of an exploit utility deployed in recent assaults uncovered indications that it could have been compiled before the patching, suggesting that at least one group might have been exploiting the vulnerability as a zero-day,” noted the Symantec Threat Hunter Team, part of Broadcom, in a study shared with The Hacker News.
The financially incentivized threat cluster is being monitored by the organization under the alias Cardinal, also referred to as Storm-1811 and UNC4393.
It’s noted for monetizing access by deploying the Pitchy Basta extortionware, typically by utilizing initial access acquired by other assailants – initially QakBot and then DarkGate – to infiltrate target environments.
Recently, the threat actor has been seen using legitimate Microsoft products such as Quick Assist and Microsoft Teams as attack vectors to infiltrate users.
“The threat actor leverages Teams for sending messages and commencing calls in a bid to impersonate IT or help desk staff,” as per the statement from Microsoft. “This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, running of batch scripts, and utilization of SystemBC for persistence and command and control.”
Symantec mentioned that it detected the exploit tool being employed in a tried yet unsuccessful extortionware attack.
The tool “exploits the fact that the Windows file werkernel.sys employs a null security descriptor while creating registry keys,” it elaborated.
“The exploit utilizes this to produce a ‘HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWerFault.exe’ registry key where it sets the ‘Debugger’ value as its own executable pathname. This enables the exploit to start a shell with administrative privileges.”
Metadata scrutiny of the artifact indicates that it was compiled on February 27, 2024, several weeks before the vulnerability was resolved by Microsoft, while another example discovered on VirusTotal was compiled on December 18, 2023.
Despite the fact that cybercriminals tend to alter timestamps of files and directories on a compromised system to conceal their activities or hinder investigations – a practice known as timestomping – Symantec highlighted that there are likely very few reasons for this in this scenario.
This development comes amidst the rise of a novel extortionware family dubbed DORRA which is a variation of the Makop malware clan, as extortionware attacks keep experiencing a resurgence of sorts post a decline in 2022.
As per Mandiant, owned by Google, the extortionware surge recorded a 75% increase in postings on data leak portals, with over $1.1 billion shelled out to attackers in 2023, an increase from $567 million in 2022 and $983 million in 2021.
“This indicates that the minor decrease in extortion activities noticed in 2022 was an anomaly, likely due to influencers such as the invasion of Ukraine and the leaked Conti chats,” the entity stated.
“The ongoing increase in extortion activities is probably driven by multiple factors, including the reestablishment of the cybercriminal ecosystem following a turbulent 2022, new entrants, and new collaborations and ransomware service offerings by actors previously linked with prominent groups that had been disrupted.”
About Author
