Executive Summary
CVE-2024-26169, an Exploitation of Windows Elevation of Privilege Flaw in the Windows Error Reporting (WER) Service, has been actively exploited in the wild, notably by the Black Basta ransomware group. This vulnerability, if left unaddressed, can allow local attackers to gain higher-level privileges, posing a significant threat to organizations across multiple sectors, including critical infrastructure, healthcare, and financial services in the United States, European Union, and parts of Asia. The urgency for immediate patching and robust monitoring cannot be overstated.
Targeted Sectors and Countries
Sectors Targeted:
Critical Infrastructure
Healthcare
Financial Services
Countries Targeted:
United States
European Union
Parts of Asia
Exploitation of Windows Elevation of Privilege Flaw - Technical Information
CVE Identifier: CVE-2024-26169
Vulnerability Name: Windows Error Reporting Service Elevation of Privilege Vulnerability
Impact: Elevation of Privilege
Severity: Important
Affected Systems: Microsoft Windows
Date Added: Refer to NVD for the specific date of addition
Description: CVE-2024-26169 is an elevation of privilege vulnerability within the Windows Error Reporting Service. This flaw allows local attackers with user permissions to gain elevated privileges due to improper privilege management. The vulnerability stems from the WER service's failure to correctly assign, modify, track, or check user privileges, thus creating an unintended sphere of control for the attacker.
Attack Vector:
Local: The attacker must have local access to the system.
Access Complexity: Low
Authentication Required: None
Impact on Confidentiality: None
Impact on Integrity: High
Impact on Availability: High
Technical Details: The vulnerability is exploited by manipulating the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges.
Exploitation in the Wild
Recent intelligence reports indicate that the Black Basta ransomware group has been exploiting CVE-2024-26169 as a zero-day vulnerability. The exploitation tool was compiled before the patch release, suggesting active exploitation prior to public disclosure.
Indicators of Compromise (IOCs):
Exploit Tools:
SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63
SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0
Batch Scripts:
SHA256: a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d
SHA256: 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
SHA256: 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625
Remote Access Tools:
SHA256: b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e
APT Groups using this vulnerability
Black Basta Ransomware (Cardinal Group aka Storm-1811, UNC4393):
Sectors Targeted: Multiple sectors including critical infrastructure, healthcare, and financial services.
Countries Targeted: Primarily the United States, European Union countries, and parts of Asia.
MITRE ATT Framework:
Tactic: Privilege Escalation (TA0004)
Technique: Exploitation for Privilege Escalation (T1068)
Affected Product Versions
The following products and versions are affected by CVE-2024-26169:
Microsoft Windows 10
Versions: 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2
Microsoft Windows 11
Versions: 21H2, 22H2
Microsoft Windows Server
Versions: 2016, 2019, 2022
Workaround and Mitigation
Patch Management: Apply the latest security updates and patches provided by Microsoft to address this vulnerability.
Least Privilege Principle: Ensure users operate with the least privilege necessary to reduce potential exploitation vectors.
Monitoring and Detection: Implement robust monitoring to detect unusual behavior indicative of privilege escalation attempts.
Security Training: Educate users on the importance of maintaining security hygiene and recognizing potential exploitation tactics.
Comments