Ransomware crew may have exploited Windows make-me-admin bug as a zero-day
Symantec suggests Black Basta crew beat Microsoft to the patch
The Black Basta ransomware gang may have exploited a now-patched Windows privilege escalation bug as a zero-day, according to Symantec's threat hunters.
Microsoft plugged the hole in the Windows Error Reporting Service in the March Patch Tuesdsay, and warned orgs that the vulnerability, tracked as CVE-2024-26169, could allow an attacker to elevate privileges to the all-powerful SYSTEM level during an attack. An intruder could use that flaw to go from compromising an individual user account to taking over the whole box as an administrator, for instance.
Also at the time, Redmond said there was no evidence that the flaw had been exploited prior to its Patch Tuesday fix. According to Symantec, however, that might not be the case.
In a Wednesday write-up, Symantec's threat intel team said its analysis of an exploit used by the Black Basta ransomware crew to compromise victims indicates that the malicious code may have been compiled before Microsoft issued the patch.
Which would mean "at least one group may have been exploiting the vulnerability as a zero-day" to achieve total control of targeted Windows machines.
This particular exploit was used in a recent attempted ransomware infection, we're told. And while that attack wasn't successful, Symantec noted similarities between that failed infection its team investigated and a Black Basta ransomware campaign Microsoft documented in May.
- Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware
- Uncle Sam urges action after Black Basta ransomware infects Ascension
- Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows
- China's FortiGate attacks more extensive than first thought
Redmond said the campaign it observed had been carried out by a cybercrime gang it tracks as Storm-1811 (others call the crew Cardinal or UNC4393) and that the crew's social engineering attacks – basically, tricking folks within organizations to grant the crooks access to systems to infect with ransomware – had been ongoing since mid-April. Storm-1811 abused Microsoft's Quick Assist application and used batch scripts disguised as software updates to deploy Black Basta ransomware within target IT environments.
These particular tactics, according to Symantec, are "highly similar" to those its investigators observed in their own probe, making it "highly likely" what Team Symantec had observed "was a failed Black Basta attack."
The team's analysis of the exploit found it abuses the fact that Windows' werkernel.sys uses a null security descriptor when creating registry keys:
Because the parent key has a "Creator Owner" access control entry (ACE) for subkeys, all subkeys will be owned by users of the current process. The exploit takes advantage of this to create a "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe" registry key where it sets the "Debugger" value as its own executable pathname. This allows the exploit to start a shell with administrative privileges.
The Symantec crew also noted that the variant of the exploit was time-stamped February 27, and the vulnerability wasn't patched until nearly a month later.
Additionally, a second variant of the exploit that turned up on Virustotal had an even earlier time stamp of December 18, 2023.
While Symantec admits this is not "conclusive evidence," because time stamps can be modified, "in this case there appears to be little motivation for the attackers to change the time stamp to an earlier date."
Microsoft did not immediately respond to The Register's inquiries about whether its malware hunters had seen anything to indicate that CVE-2024-26169 was exploited by this same group of miscreants as a zero-day. We will update this story if we receive a response. ®