top of page

Critical Windows Error Reporting Service Vulnerability CVE-2024-26169 Exploited by Black Basta Ransomware

CVE Image for report on CVE-2024-26169

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding a critical Windows vulnerability, identified as CVE-2024-26169, which has been actively exploited in ransomware attacks. This vulnerability, affecting the Windows Error Reporting Service, allows local attackers to gain SYSTEM permissions with minimal complexity and no user interaction. The exploitation of this vulnerability has been linked to the notorious Black Basta ransomware group, which has been operational since April 2022. This report delves into the technical specifics of the vulnerability, its exploitation in the wild, the threat actors involved, and provides actionable mitigation strategies to safeguard your organization.

Technical Information

CVE-2024-26169 is a critical vulnerability categorized under Improper Privilege Management, specifically targeting the Windows Error Reporting Service. This flaw enables local attackers to escalate their privileges to SYSTEM level, thereby gaining full control over the affected system. The vulnerability is characterized by its low complexity, requiring no user interaction, making it an attractive target for cybercriminals. The vulnerability was officially patched by Microsoft on March 12, 2024, as part of their Patch Tuesday updates. However, the exploit was already in circulation, with evidence suggesting that the Black Basta group had developed a working exploit as early as December 2023. The exploitation of this vulnerability underscores the importance of timely patch management and robust security measures to prevent unauthorized access and potential data breaches.

Exploitation in the Wild

The Black Basta ransomware group, also known as the Cardinal cybercrime group (UNC4394, Storm-1811), has been identified as the primary threat actor exploiting CVE-2024-26169. Symantec researchers uncovered that the group had been using the exploit tool with compilation timestamps dating back to December 18, 2023, indicating pre-patch exploitation. The group has leveraged this vulnerability to deploy ransomware attacks, encrypting systems, and exfiltrating sensitive data from targeted organizations. The exploitation has been particularly focused on critical infrastructure sectors, highlighting the group's strategic targeting and operational sophistication.

APT Groups using this vulnerability

The Black Basta ransomware group is a prominent Advanced Persistent Threat (APT) actor exploiting this vulnerability. Emerging in April 2022 following the disbandment of the Conti gang, Black Basta operates as a Ransomware-as-a-Service (RaaS) model. The group has been linked to high-profile attacks on organizations such as Rheinmetall, Capita, Toronto Public Library, American Dental Association, ABB, Hyundai Europe, Yellow Pages Canada, and Ascension. Their operations have resulted in over $100 million in ransom payments from more than 90 victims as of November 2023. The group's tactics include encrypting systems, data theft, and targeting critical infrastructure sectors, posing a significant threat to global cybersecurity.

Affected Product Versions

The vulnerability affects multiple versions of the Windows operating system, specifically those utilizing the Windows Error Reporting Service. Organizations are advised to review their systems and ensure that all affected versions are updated with the latest security patches released by Microsoft in March 2024.

Workaround and Mitigation

To mitigate the risks associated with CVE-2024-26169, organizations should prioritize the following strategies. First, ensure that all systems are updated with the latest security patches, particularly the March 2024 Patch Tuesday updates from Microsoft. Implement strict privilege management policies to limit SYSTEM-level access and reduce the potential impact of exploitation. Deploy advanced threat detection solutions to monitor for unusual activities associated with the known Tactics, Techniques, and Procedures (TTPs) of the Black Basta group. Additionally, develop and regularly update incident response plans to quickly address potential ransomware attacks and minimize damage.

References

For further reading and detailed analysis, please refer to the following resources. The Bleeping Computer article provides an overview of the CISA warning regarding the Windows bug exploited in ransomware attacks, available at https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-bug-exploited-in-ransomware-attacks/. Symantec's research report offers insights into the Black Basta exploitation activities. CISA's Known Exploited Vulnerabilities Catalog is also a valuable resource for understanding the broader context of this vulnerability.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive protection against emerging threats, ensuring that your organization remains secure. Should you have any questions about this report or require further assistance, please do not hesitate to contact our cybersecurity team at ops@rescana.com. We are here to support you in safeguarding your digital assets and maintaining robust cybersecurity defenses.

5 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page