symantec-enterprise-blogs.security.com
Open in
urlscan Pro
2606:4700:10::6816:30d7
Public Scan
Submitted URL: http://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
Effective URL: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
Submission: On June 18 via api from DE — Scanned from DE
Effective URL: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
Submission: On June 18 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
<form _ngcontent-ng-c690681020="" novalidate="" class="subscribe-form ng-untouched ng-pristine ng-invalid"><!---->
<div _ngcontent-ng-c690681020="" class="form-fields">
<div _ngcontent-ng-c690681020="" class="form-item subscribe-form-tos"><input _ngcontent-ng-c690681020="" type="checkbox" name="termsAccept"> I accept the
<a _ngcontent-ng-c690681020="" target="_self" href="https://www.broadcom.com/company/legal/terms-of-use/">Terms of Use</a>. Your privacy is important to us. Please see our
<a _ngcontent-ng-c690681020="" target="_self" href="https://www.broadcom.com/company/legal/privacy-policy">Privacy Policy</a> for more information. </div>
<div _ngcontent-ng-c690681020="" class="form-item"><input _ngcontent-ng-c690681020="" formcontrolname="subscriberEmail" type="email" maxlength="255" name="subscribe" size="20" value="" title="Enter your email address"
placeholder="Enter your email address" class="subscribe-form__email ng-untouched ng-pristine ng-valid"></div>
<div _ngcontent-ng-c690681020="" class="form-item"><re-captcha _ngcontent-ng-c690681020="" formcontrolname="recaptcha" id="ngrecaptcha-0" class="ng-untouched ng-pristine ng-invalid">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-6aprlg420c02" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lfqk1EUAAAAALmZHlI0mPZOiPIdZ6gu_91-A49j&co=aHR0cHM6Ly9zeW1hbnRlYy1lbnRlcnByaXNlLWJsb2dzLnNlY3VyaXR5LmNvbTo0NDM.&hl=de&v=KXX4ARWFlYTftefkdODAYWZh&size=normal&cb=9l7k81u7i1im"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</re-captcha></div><!----><button _ngcontent-ng-c690681020="" class="form-submit" disabled=""><app-svg-icon _ngcontent-ng-c690681020="" class="'page-unsubscribed__icon'"><svg width="25px" height="25px" fill="white"
class="'page-unsubscribed__icon'">
<use xlink:href="/assets/icomoon/envelope.svg#envelope"></use>
</svg></app-svg-icon> Subscribe</button><button _ngcontent-ng-c690681020="" class="form-submit form-submit__submitted hidden"><app-svg-icon _ngcontent-ng-c690681020=""><svg width="25px" height="25px" fill="white">
<use xlink:href="/assets/icomoon/check.svg#check"></use>
</svg></app-svg-icon> Submitted</button><!----><!---->
</div>
</form>Text Content
Symantec Enterprise Blogs * Threat Intelligence Menu MAIN MENU * Blogs Home * Threat Intelligence - All Divisions * Feature Stories - Symantec Enterprise * Expert Perspectives - Symantec Enterprise * Product Insights * 日本語 * Search * Broadcom Home Threat Hunter TeamSymantec TwitterLinkedIn SHARE Posted: 12 Jun, 20243 Min ReadThreat Intelligence Subscribe Follow twitterlinkedin RANSOMWARE ATTACKERS MAY HAVE USED PRIVILEGE ESCALATION VULNERABILITY AS ZERO-DAY SOME EVIDENCE TO SUGGEST THAT ATTACKERS LINKED TO BLACK BASTA COMPILED CVE-2024-26169 EXPLOIT PRIOR TO PATCHING. The Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may have been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day. The vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service. If exploited on affected systems, it can permit an attacker to elevate their privileges. The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day. BLACK BASTA LINK The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team. Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity. These included the use of batch scripts masquerading as software updates. Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack. EXPLOIT TOOL Analysis of the exploit tool revealed that it takes advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys. Because the parent key has a “Creator Owner” access control entry (ACE) for subkeys, all subkeys will be owned by users of the current process. The exploit takes advantage of this to create a "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe" registry key where it sets the "Debugger" value as its own executable pathname. This allows the exploit to start a shell with administrative privileges. The variant of the tool used in this attack (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63) had a compilation time stamp of February 27, 2024, several weeks before the vulnerability was patched. A second variant of the tool discovered on Virus Total (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0) had an earlier compilation time stamp of December 18, 2023. Time stamp values in portable executables are modifiable, which means that a time stamp is not conclusive evidence that the attackers were using the exploit as a zero-day. However, in this case there appears to be little motivation for the attackers to change the time stamp to an earlier date. REVIVED THREAT Cardinal introduced Black Basta in April 2022 and from its inception, the ransomware was closely associated with the Qakbot botnet, which appeared to be its primary infection vector. Qakbot was one of the world’s most prolific malware distribution botnets until it was taken down following law enforcement action in August 2023. However, while the takedown led to a dip in Black Basta activity, Cardinal has since resumed attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims. PROTECTION/MITIGATION For the latest protection updates, please visit the Symantec Protection Bulletin. INDICATORS OF COMPROMISE If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file. 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect ABOUT THE AUTHOR THREAT HUNTER TEAM SYMANTEC The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks. WANT TO COMMENT ON THIS POST? We encourage you to share your thoughts on your favorite social platform. TwitterLinkedIn RELATED BLOG POSTS Posted: 5 Jun, 20243 Min Read RANSOMHUB: NEW RANSOMWARE HAS ORIGINS IN OLDER KNIGHT Posted: 16 May, 20248 Min Read SPRINGTAIL: NEW LINUX BACKDOOR ADDED TO TOOLKIT Posted: 2 May, 20245 Min Read GRAPH: GROWING NUMBER OF THREATS LEVERAGING MICROSOFT API Posted: 12 Mar, 20244 Min Read RANSOMWARE: ATTACKS CONTINUE TO RISE AS OPERATORS ADAPT TO DISRUPTION Subscribe Follow twitterlinkedin * Privacy Policy * Cookie Policy * Data Processing and Data Transfers * Supplier Responsibility * Terms of Use * Sitemap Copyright © 2005-2024 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. GET BROADCOM SOFTWARE AND SYMANTEC ENTERPRISE LATEST BLOG POSTS IN YOUR INBOX I accept the Terms of Use. Your privacy is important to us. Please see our Privacy Policy for more information. Subscribe Submitted Close By clicking accept, you understand that we use cookies to improve your experience on our website. For more details, please see our Cookie Policy. Accept Cookies Cookies Settings