June 12, 2024 at 07:39AM
Symantec reports that threat actors using Black Basta ransomware exploited a privilege escalation flaw in Microsoft’s Windows Error Reporting Service as a zero-day, patched in March 2024. Symantec’s observation points to attempts to exploit the vulnerability in an unsuccessful ransomware attack. It also highlights the emergence of a new ransomware variant called DORRA amid a rise in ransomware attacks.
Key takeaways from the meeting notes:
– Symantec’s findings suggest that threat actors linked to the Black Basta ransomware exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day.
– The security flaw in question is CVE-2024-26169, which was patched by Microsoft in March 2024.
– Symantec’s Threat Hunter Team identified evidence of an exploit tool being deployed in recent attacks, potentially prior to the patching of the vulnerability, indicating exploitation as a zero-day.
– The financially motivated threat cluster known as Cardinal, also referred to as Storm-1811 and UNC4393, is involved in monetizing access by deploying the Black Basta ransomware, often leveraging initial access obtained by other attackers such as QakBot and DarkGate.
– The threat actor has been observed using legitimate Microsoft products like Quick Assist and Microsoft Teams as attack vectors to infect users, with activities including impersonation of IT or help desk personnel, leading to credential theft, execution of batch scripts, and use of SystemBC for persistence and command and control.
– The exploit tool manipulates the Windows file werkernel.sys to create a registry key, allowing the exploit to start a shell with administrative privileges.
– Symantec observed the exploit tool being used as part of an attempted but unsuccessful ransomware attack.
– The emergence of a new ransomware family called DORRA, a variant of the Makop malware family, indicates a revival of ransomware attacks after a dip in 2022, with significant increases in extortion activity and payments to attackers in recent years.
For the latest exclusive content, follow us on Twitter and LinkedIn.