CyberWire Daily - The Black Basta ransomware riddle. [Research Saturday]
Episode Date: July 27, 2024Dick O'Brien from Symantec Threat Hunter team is talking about their work on "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day." Also going to provide some background/...history on Black Basta. CVE-2024-26169 in the Windows Error Reporting Service, patched on March 12, 2024, allowed privilege escalation. Despite initial claims of no active exploitation, recent analysis indicates it may have been exploited as a zero-day before the patch. The research can be found here: Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Blackbusta, I tend to see them as being one of the newer ransomware groups, but they've been around since 2022.
They're operated by a group that we call Cardinal.
And that does mean that they're kind of one of the elder statesmen now in the ransomware universe.
That's Dick O'Brien, Principal Intelligence Analyst with Symantec's Threat Hunter team.
The research we're discussing today is titled
Ransomware Attackers May Have Used
Privilege Escalation Vulnerability as Zero Day.
They were one of those groups
that kind of made an immediate impact.
They hit the ground running, so to speak.
They mounted a lot of successful attacks right from the off,
which led to a lot of speculation about who these people were.
They were obviously cybercrime veterans in the way that they seemed to be able to immediately build a successful operation.
And there was some speculation that maybe some of the people involved seemed to be able to immediately build a successful operation.
And there was some speculation that maybe some of the people involved were formerly involved with the old county ransomware group,
which is one of the biggest ransomware operations in the world for a long time.
I guess the thing that characterized the Black Buster attacks initially
was that they had a very close relationship
with the QuackBot botnet.
And QuackBot was one of the biggest
malware distribution botnets
operating for a long time.
Essentially what they did was
they sent malware,
loader-laced emails using the botnet to tens of thousands of people every day,
and then they would sell off access to interesting targets to groups such as Black Buster.
And for a long time, every Black Buster attack we investigated,
or indeed every one that we heard about, began with a QuackBot infection.
So they seem to have a very close relationship with QuackBot.
But then QuackBot was subject to a law enforcement takedown last year.
and this led to a lot of speculation as to what was going to happen to BlackBuster because QuackBot was kind of like the last man standing
in terms of these big malware distribution botnets.
All of the other ones had been disrupted before that.
And we were wondering whether this was going to be the end of BlackBuster
because they were so reliant on QuackBot.
But they've come back, they've rebuilt their operation,
and they seem to have established a relationship
with attackers who use the DarkGate malware,
which is often used as a precursor to BlackBuster.
So they seem to have found another source of victims.
The DarkGate people are probably selling on access to BlackBuster.
So now they kind of had a quiet period after the QuackBot takedown,
but they're back in business now to the same level, more or less, as before.
Well, let's dig into this specific research here.
I mean, there's a couple of interesting wrinkles.
Can we first talk about the exploit tool itself?
I mean, what seems to be going on here?
The exploit tool, it's a privileged escalation exploit tool. So by running it, it allows the
attackers to run as an admin user. It exploited a vulnerability
that was patched by Microsoft
back in March 2024.
Now, we only discovered the exploit tool
after the patching,
but we found some evidence to suggest
that this tool was created long before
the vulnerability was patched
and that this group may have been using it as a zero-day vulnerability.
So to explain the exploit, the root cause of the vulnerability,
lies in the fact that there is one Windows file,
vrkernel.sys, that has a null security descriptor for any registry keys it creates.
However, its parent has a creator-owner access control entry for its subkeys.
And what that means is that it assigns the current user, which in this case is the attacker,
as the owner of any new subkey created by the file.
So originally, ordinarily, unprivileged users can't create a subkey created by the file. So originally, ordinarily,
unprivileged users can't create a subkey in this fashion.
So the attackers then abused this fault
to create their own registry key
where they set a debugger value
as pointing towards their own exploit tool.
And then they triggered the exploit
by making a call to the report fault API
and it launched their executable, their exploit, And then they triggered the exploit by making a call to the report fault API.
And it launched their executable, their exploit,
because that was the file that was specified as the de-gugger key value.
And voila, they're running with admin privileges.
That's essentially how it works.
The evidence we had that it was being used as a zero-day are timestamps.
We found two versions of the exploit tool that had timestamps that predated the patching.
Now, timestamps are not the final smoking gun in evidence
and that they can be faked.
But having said that,
we can't really see any real motivation in this case
for the attackers wanting to fake the timestamps
2 and 2. So we suspect chances are it was being used as a zero day for a while.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. It's really an interesting insight here in your research.
I mean, as you point out, when Microsoft released this patch back in March,
they said that they had no evidence of any exploitation in the wild,
and there's no reason to suspect that Microsoft were being disingenuous about that.
But these things are fluid.
You know, your research shows, as is sometimes the case, that turns out perhaps somebody was.
Yeah, I mean, it has been known to happen.
You know, it's a case of if nobody knows about it,
well then, you know,
they're not going to be aware of it.
Okay, usually when in the wild exploits
are reported on patching,
it's because somebody has discovered
that in the course of an attack investigation
and reported it to Microsoft.
But in this case,
it seems that somebody discovered the vulnerability independently and reported
it to Microsoft, but the attackers have probably found it themselves prior to this.
What else can you tell us about this group in terms of, is there any specificity in who
they seem to be targeting, what they're after in particular, those sorts of things?
There's nothing specific in terms of who they are targeting.
What they really want is somebody who will pay the ransom.
They're your typical ransomware group in that respect.
So they're looking for large organizations
who they think have deep pockets and they will go after them.
They're a slightly unusual group in a way in that we think they're mounting all of the attacks themselves.
We've never seen any evidence of them advertising for affiliates operating a so-called ransomware as a service.
Although some third parties have suggested this, but we've never seen anything to back that up.
And that's unusual enough in this day and age. Most ransomware groups tend to use the franchise model.
Any insights on how successful they are? Do we have a view into any cryptocurrency wallets
or anything like that? I think this is something we wouldn't track ourselves. There are other
specialists in it, but the fact that the group has been around for so long and has been so active
would probably suggest that they're making some serious money out of it.
Usually you will find ransomware groups who are ardent kind of leveraging their tools to the
full extent. They give up pretty quickly and move on to something else. I see. So what are
your recommendations then for folks to best protect themselves here? Recommendations, I think it's the same
as with any competent ransomware
attacker. So it's not just a blackbuster. Number
one is be very aware of how a typical
attack unfolds and then try and build your defenses around that.
So right now, vulnerability
exploitation is the main route into affected organizations. It was botnets like Quacknet
that I mentioned there earlier. But now what you're seeing is there are exploit brokers who
are identifying useful vulnerabilities as their patch and launching scanning campaigns
pretty much straight away after the vulnerabilities patch is released to identify unpacked systems.
And then they're selling on access to ransomware groups like this group to infect them. That's
the primary infection vector for ransomware at the moment. So obviously prioritizing, keeping your software updated,
having a good patching policy is key to preventing infection.
And then a ransomware attack is a multi-stage process,
and there's a lot of different steps and tools that need to be involved
for it to be done successfully.
And educating yourself on what the steps are
will probably help you mitigate any risk.
So be very careful about who has access to administrative credentials.
Implement two-factor authentication wherever you can.
Things like one-time passwords and stuff like that.
And also, pay very careful attention to what software is being used on your network.
Increasingly, attackers are relying on legitimate tools to perform nefarious activities,
in particular, remote management software and remote desktop software, any
unauthorized installations of things like that on your network should be raising big red flags.
Our thanks to Dick O'Brien from Symantec's ThreatHunter team for joining us. Thank you. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.