Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Black Basta ransomware crew may be exploiting Microsoft zero-day

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted



****** Basta ransomware crew may be exploiting
This is the hidden content, please
zero-day

A vulnerability in the

This is the hidden content, please
Windows Error Reporting Service, which was identified and patched three months ago in the March 2024 Patch Tuesday update, appears to have been exploited as a
This is the hidden content, please
by the ****** Basta ransomware gang prior to being addressed, users have been warned.

This is the hidden content, please
drew little attention in March – it was rated as Important in its severity and assigned a CVSS base score of 7.8, and
This is the hidden content, please
had not identified any public proofs of concept or exploits circulating. If left unaddressed, it enables an attacker to elevate their privileges, so could potentially form an element of a cyber ******* chain.

This is the hidden content, please
, unbeknownst to
This is the hidden content, please
at the time, this does in fact appear to have happened. The researchers say they have identified and analysed an exploit tool for CVE-2024-26169 deployed in recent attacks that appears to have been compiled prior to patching – retroactively changing the vulnerability’s status to that of a zero-day.

“Although the attackers did not succeed in deploying a ransomware payload in this *******, the tactics, techniques and procedures (TTPs) used were highly similar to those described in a recent

This is the hidden content, please
report detailing ****** Basta activity. These included the use of batch scripts masquerading as software updates,” the Threat Hunter Team said.

“Although no payload was deployed, the similarities in TTPs makes it highly likely it was a ******* ****** Basta *******.”

The exploit tool seems to rely on the fact that a specific file, werkernel.sys, uses a “null” security descriptor when it creates registry keys, and because the parent key has a “Creator Owner” access control entry (ACE) for subkeys, the resulting subkeys are all owned by users of the current process.

The ransomware gang has taken advantage of this to create a specific registry key where it sets the “Debugger” value as an executable pathname, said Symantec. This in turn enables the exploit to start up a shell with admin rights.

The researchers said that two different variants of the tool they discovered had been compiled several months ago, the first on 18 December 2023, and the second on 27 February 2024, although it is important to understand that time stamp values in portable executables can be changed, and a specific time stamp is not in and of itself sufficient evidence that CVE-2024-26169 has been used as a zero-day.

Nevertheless, Symantec said that given ****** Basta’s resumption of attacks following the disruption of its favoured Qakbot botnet in August 2023, it was likely the case that the gang is behind this particular tool.

Kevin Robertson, chief operations officer and co-founder at

This is the hidden content, please
, said in earlier statements that there was no evidence CVE-2024-26169 may have lured many cyber admins into a false sense of security and resulted in the patch not being prioritised in the usual monthly rush.

“Cyber ****** gangs are exploiting weaknesses in ubiquitous software, like

This is the hidden content, please
, and using them as backdoors into systems,” he said. “Software vendors have a duty to continuously hunt for and remediate vulnerabilities, otherwise, they are putting their customers at serious risk. They also have a duty to investigate if vulnerabilities have been exploited in the wild before patches are released, because this could result in organisations missing compromises.

“For any organisation that has not patched this CVE yet, do it now, because in the hands of an adversary like ****** Basta, it has become one of the most dangerous vulnerabilities around today,” said Robertson.





This is the hidden content, please

#****** #Basta #ransomware #crew #exploiting #

This is the hidden content, please
#zeroday

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept