Dick O'Brien from Symantec Threat Hunter team is talking about their work on "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day." Also going to provide some background/history on Black Basta. CVE-2024-26169 in the Windows Error Reporting Service, patched on March 12, 2024, allowed privilege escalation.
Despite initial claims of no active exploitation, recent analysis indicates it may have been exploited as a zero-day before the patch.
The research can be found here:
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. Hello, everyone, and welcome to the Cyberwire's Research Saturday. I'm Dave Bitner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. Blackbuster, I tend to see them as being one of the newer ransomware groups, but they've been around since 2022, where they're operated by a group called Cardinal, and that does mean that they're kind of one of the elder states and now in the ransomware universe. That's Dick O'Brien, principal intelligence analyst with Symantec's Threat Hunter team. The research we're discussing today is titled "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero Day." They cut more. One of those groups that kind of made an immediate impact, they hit the ground rolling, so to speak, they invented a lot of successful attacks right from the off, which led to a lot of speculation about who these people were. They were obviously cybercrime veterans in the way that they seemed to be able to immediately build a successful operation under some speculation that maybe some of the people involved were formerly involved with the old county ransomware group, which is one of the biggest ransomware operations in the world for a long time. I guess the thing that characterized the Blackbuster attacks initially was that they had a very close relationship with the Quackbot botnet, and Quackbot was one of the biggest malware distribution botnet operation for a long time. Essentially, what they did was they sent malware and they distilled loader-laced emails using the botnet to tens of thousands of people every day, and then they would sell off access to interesting targets to groups such as Blackbuster. For a long time, every Blackbuster attack we investigated are indeed everyone that we heard about began with a Quackbot infection, so they seemed to have a very close relationship with Quackbot. But then Quackbot was subject to a law enforcement takedown last year, and this led to a lot of speculation as to what was going to happen to Blackbuster, because Quackbot was kind of like the last man standing in terms of these big malware distribution botnets all of the other ones had been disrupted before that, and we were wondering whether this was going to be the end of Blackbuster, because they were so reliant on Quackbot, but they've come back, they've rebuilt their operation, and they seem to have established a relationship with attackers who use the Darkgate malware, which is often used as a precursor to Blackbuster, so they think they have found another source of victims, the Darkgate people are probably selling on access to Blackbuster. So now they kind of had a quiet period after the Quackbot takedown, but they're back in business now to the same level more or less as before. So let's dig into this specific research here, I mean there's a couple of interesting wrinkles, can we first talk about the exploit tool itself, I mean what seems to be going on here? The exploit tool, it's a privileged escalation exploit tool, so by running it, it allows the attackers to run as an admin contact obviously gives you an awful lot more power than running command is an ordinary user, it was exploited, a vulnerability that was patched by Microsoft back in March 2024, now we only discovered the exploit tool after the patching, but we found some evidence to suggest that this tool was created long before, the vulnerability was patched, and that this group may have been using it as a zero day vulnerability. So to explain the exploit, the root cause of the vulnerability lies in the fact that there is one windows file, var kernel dot sys, that has a null security descriptor for any registry keys it creates, however its parent has a creation owner, access control entry for its sub keys, and what that means is that it assigns the current user, which in this case is the attacker, as the owner of any new sub key created by the file. So originally, ordinarily, own privileged users can't create a sub key in this fashion, so the attackers then abused this fault to create their own registry key, where they set a debugger value as pointing towards their own exploit tool, and then they triggered the exploit by making a call to the report fault API, and it launched their execution both their exploits, because that was the file that was specified as the debugger key value, and voila, they're running with admin privileges, that's essentially how it works. The evidence we had, that it was being used as a zero day are timestamps, they, we found two versions of the exploit tool that had timestamps that predated the patching, now timestamps are not the final smoking dawn, and evidence that they can be faked, but having said that, we can't really see any real motivation in this case for the attackers wanting to fake the timestamps to enter, so we suspect chances are it was being used as a zero day for a while. We'll be right back. And now, a word from our sponsor, know before, where would infosec professionals be without users making security mistakes, working less than 60 hours per week maybe, actually having a weekend every so often, while user behavior can be a challenge, they can also be an infosec professionals greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so, that's one of the reasons know before developed security coach, a real time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach, learn more at knowbefore.com/securitycoach, that's knowbefore.com/securitycoach. And we thank know before for sponsoring our show. It's really an interesting insight here in your research. I mean, as you point out, when Microsoft released this patch back in March, they said that they had no evidence of any exploitation in the wild and there's no reason to suspect that Microsoft were being disingenuous about that. But these things are fluid, your research shows as sometimes the case that turns out perhaps somebody was. Yeah, I mean, it has been known to happen, you know, it's a case of if nobody knows about it, well then, you know, they're not going to be aware of it. Okay, usually when in the wild exploits are reported on patching, it's because somebody has discovered that in the course of an attack investigation and reported it to Microsoft. And in this case, it seems that somebody discovered the vulnerability independently and reported to Microsoft that the attackers have probably found it themselves prior to this. What else can you tell us about this group in terms of, is there any specificity in who they seem to be targeting, what they're after in particular, those sorts of things? There's no nothing specific in terms of who they are targeting, what they really want is somebody who will paint a ransom. They're your typical ransomware group in that respect. So they're looking for large organizations who they think have deep pockets, they will go after them and they're slightly unusual group in a way in that we think they're mounting all of the attacks themselves. We've never seen any evidence of them advertising for affiliates operating a so-called ransomware as a service, although some of the third priorities have suggested this, but we've never seen anything to back that up, you know, and that's unusual enough in this day and age. Most ransomware groups tend to use the franchise model. Any insights on how successful they are or do we have a view into any cryptocurrency wallets or anything like that? I think this is something we wouldn't track ourselves. There are other specialists in it, but the fact that the group has been around for so long and has been so active would probably suggest that they're making some serious money out of it. Usually you will find ransomware groups who are going to kind of leveraging their tools to the full sixth and they give up pretty quickly and move on to something else. So what are your recommendations then for folks to best protect themselves here? Recommendations, I think it's the same as with any competent ransomware attacker. So it's not just a black bastard. Number one is be very aware of how a typical attack on those and then try and build your defenses around that. So right now vulnerability exploitation is the main route into affected organizations. It was last night, like quite most of I mentioned earlier, but now what you're seeing is there are ex-white brokers who are identifying useful vulnerabilities outside patch and launching scanning campaigns pretty much straight away after the vulnerabilities patches released to identify un-patched systems and then they're selling on access to ransomware groups like this group to infect them. That's the primary infection vector for ransomware at the moment. So obviously prioritizing keeping your software updated, having a good patching policy is key to preventing infection. And then a ransomware attack is a multi-stage process and there's a lot of different steps and tools that need to be involved for it to be done successfully and educating yourself. I'll watch the steps will probably help you mitigate any risk. So be very careful about who has access to administrative credentials, implement two-factor authentication wherever you can, things like one-time passwords and stuff like that. And also pay very careful attention to what software is being used on your network. Increasingly attackers are relying on legitimate tools to perform nefarious activities, in particular remote management software and log desktop software. Any unauthorized installations of things like that on your network should be raising big red flags. Our thanks to Dick O'Brien from Symantec's threat hunter team for joining us. The research is titled "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero Day." We'll have a link in the show notes. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Some came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make use smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, were mixed by Elliot Pelsman and Trey Hester. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carp. Cameron Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here next time. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at MYs, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYs features one-to-one access with industry experts, and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at MYs.io/cyberwire, that's MYs.io/cyberwire. [MUSIC]
