June 12, 2024 at 08:10AM
The Black Basta ransomware operation exploited a Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day before a fix was available. Microsoft patched it on March 12, 2024. Symantec’s report links the exploit to Black Basta, with indications of its usage as a zero-day. This highlights the need to apply the latest Windows security update to mitigate this vulnerability.
Key Takeaways from the meeting notes:
1. Black Basta ransomware operation exploited Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day before a fix was made available.
2. The flaw had a high severity rating (CVSS v3.1: 7.8) and allowed attackers to elevate their privileges to SYSTEM.
3. Microsoft fixed the flaw on March 12, 2024, through its Patch Tuesday update, and there are no active exploitations currently reported on the vendor’s page.
4. Symantec’s report suggests that the exploit was actively utilized by the Black Basta gang and the Cardinal cybercrime group, possibly as a zero-day.
5. The exploit tool utilized the Windows file werkernel.sys to create a registry key and launch a shell with SYSTEM privileges.
6. Black Basta had a working exploit tool 14 to 85 days before Microsoft pushed a fix, as indicated by compilation timestamps on the exploit tool samples.
7. Black Basta has previously demonstrated expertise in abusing Windows tools and has been linked to high-volume cyber activity, with over $100 million in ransom payments reported.
8. To mitigate the use of this vulnerability, it is crucial to apply the latest Windows security update and follow the guidelines shared by CISA.
These takeaways provide a clear summary of the key points discussed during the meeting regarding the Black Basta ransomware operation and the exploitation of CVE-2024-26169.