June 12, 2024 at 06:16PM
Symantec’s threat hunters suspect Black Basta ransomware gang exploited a Windows privilege escalation bug, CVE-2024-26169, before Microsoft’s patch. Symantec’s analysis suggests the ransomware could have been compiled pre-patch, allowing “at least one group” to exploit the vulnerability as a zero-day. The ransomware gang, tracked as Storm-1811, used social engineering attacks and malicious tactics.
Key Takeaways from Meeting Notes:
– Symantec’s threat hunters have reported that the Black Basta ransomware gang may have exploited a now-patched Windows privilege escalation bug as a zero-day.
– The vulnerability, tracked as CVE-2024-26169, could allow an attacker to elevate privileges to the all-powerful SYSTEM level during an attack, enabling them to take over the entire system as an administrator.
– Symantec’s analysis suggests that the malicious code used by the Black Basta crew may have been compiled before Microsoft issued the patch, indicating potential exploitation as a zero-day.
– Similarities were noted between a witnessed failed ransomware infection and a Black Basta ransomware campaign previously documented by Microsoft, implicating the cybercrime gang known as Storm-1811.
– Storm-1811 utilized social engineering tactics and abused Microsoft’s Quick Assist application to deploy Black Basta ransomware within target IT environments.
– Analysis of the exploit revealed abuse of the fact that Windows’ werkernel.sys uses a null security descriptor when creating registry keys.
– Two variants of the exploit were identified, with time stamps indicating potential exploitation before the patch was issued. The earlier time stamp suggests a possible exploit date of December 18, 2023.
– Microsoft is yet to respond to inquiries about whether its malware hunters had seen indications of CVE-2024-26169 being exploited by the same group as a zero-day.
Please let me know if you need further details or additional information.