Ransomware Group ‘Black Basta’ Linked to Zero-Day Attacks on Windows

2 Mins Read

PUREVPNNewsRansomware Group ‘Black Basta’ Linked to Zero-Day Attacks on Windows

A zero-day vulnerability in Windows has recently come to light, targeted by the notorious Black Basta ransomware group. This vulnerability, identified as CVE-2024-26169, was exploited by attackers to escalate privileges on compromised systems before Microsoft could release a patch. 

Understanding the Zero-Day Flaw and its Exploitation

The vulnerability affects the Windows Error Reporting Service and poses a significant threat with a severity rating of 7.8. It allows malicious actors to gain SYSTEM privileges, providing them with comprehensive control over the affected system. 

Microsoft responded to this critical issue on March 12, 2024, with an update as part of their Patch Tuesday initiative. Despite no immediate reports of active exploitation at the time of the update, subsequent insights from cybersecurity experts indicated that the flaw was indeed exploited as a zero-day.

How Black Basta Exploited the Vulnerability

Symantec’s investigation uncovered an attempted ransomware attack that used an exploit tool for CVE-2024-26169 after an initial infection by the DarkGate loader, a method favored by Black Basta post the QakBot takedown.

The attackers then deployed batch scripts disguised as software updates,  a technique frequently used by Black Basta. These scripts execute malicious commands and establish persistence on the targeted systems.

The exploit tool specifically took advantage of a vulnerability in how the werkernel.sys file manages security descriptors, allowing unauthorized changes to the system’s registry. 

By creating a registry key at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and altering the “Debugger” value to its own executable, the tool allowed attackers to launch a shell with SYSTEM privileges, granting them full control over the system.

The timestamps on the exploit tool variants – one dated February 27, 2024, and another even earlier, December 18, 2023 – suggest that the exploit was prepared and potentially used up to 85 days before Microsoft patched the vulnerability.

How to Stay Safe

Keeping your system safe from the tactics of groups such as Black Basta requires prompt action. The most effective step is to install the latest security updates from Windows as soon as they become available. Plus, following CISA’s guidelines can help you strengthen your defenses and ensure your system is less vulnerable to such advanced threats.

Other Reads:

author

Anas Hasan

date

June 13, 2024

time

1 month ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.