Attacks and Vulnerabilities
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack

June 13, 2024
Symantec reports Black Basta ransomware group suspected of exploiting zero-day in likely failed attack

Symantec researchers have detailed ransomware attacks by the Black Basta group, which may have utilized a privilege escalation vulnerability as a zero-day exploit. Evidence indicates that attackers associated with Black Basta compiled an exploit for CVE-2024-26169 before it was patched. The Cardinal cybercrime group, also known as Storm-1811 or UNC4393, which manages the Black Basta ransomware, is suspected of exploiting a newly patched Windows privilege escalation vulnerability as a zero-day.

“The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team,” according to a blog post by Symantec Threat Hunter team. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity. These included the use of batch scripts masquerading as software updates.”

They added that although no payload was deployed, the similarities in TTPs make it highly likely it was a failed Black Basta attack.

In its June update, the Microsoft post added “at the end of May 2024, Microsoft Threat Intelligence observed Storm-1811 using Microsoft Teams as another vector to contact target users. Microsoft assesses that the threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel. This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command and control.”

Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted various businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta ransomware affiliates have impacted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.

The vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service. If exploited on affected systems, it can permit an attacker to elevate their privileges. The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day.

Symantec detailed that Cardinal introduced Black Basta in April 2022 and from its inception, the ransomware was closely associated with the Qakbot botnet, which appeared to be its primary infection vector. 

Qakbot was one of the world’s most prolific malware distribution botnets until it was taken down following law enforcement action in August 2023. However, while the takedown led to a dip in Black Basta activity, Cardinal has since resumed attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.

The team also revealed that analysis of the exploit tool revealed that it takes advantage of the fact that the Windows file werkernel[dot]sys uses a null security descriptor when creating registry keys. As the parent key has a ‘Creator Owner’ access control entry (ACE) for subkeys, all subkeys will be owned by users of the current process. The exploit takes advantage of this to create a registry key where it sets the ‘Debugger’ value as its own executable pathname. This allows the exploit to start a shell with administrative privileges. 

They also disclosed that the variant of the tool used in this attack had a compilation timestamp of Feb. 27, 2024, several weeks before the vulnerability was patched. A second variant of the tool discovered on Virus Total had an earlier compilation timestamp of Dec. 18, 2023. 

“Timestamp values in portable executables are modifiable, which means that a timestamp is not conclusive evidence that the attackers were using the exploit as a zero-day,” according to Symantec. “However, in this case, there appears to be little motivation for the attackers to change the time stamp to an earlier date.”

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) addressing the Black Basta hacker group. The move provides cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by known Black Basta ransomware affiliates and identified through FBI investigations and third-party reporting.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack
Five Eyes' Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience
Five Eyes’ Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience
EmberOT and Opscura partner to boost OT and ICS security, tackling industry-wide visibility challenges
EmberOT and Opscura partner to boost OT and ICS security, tackling industry-wide visibility challenges