Skip to content

Cardinal ransomware group exploited Windows 0-day before patch

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

The Cardinal ransomware cybercrime group (Storm-1181/UNC4393), operating the Black Basta malware, developed an exploit for CVE-2024-26169, a Windows privilege escalation vulnerability, before a patch was released. This development has raised concerns about the potential zero-day exploitation of this critical flaw.

CVE-2024-26169 affects the Windows Error Reporting Service, enabling attackers to elevate their privileges on compromised systems. Microsoft addressed this vulnerability with a patch issued on March 12, 2024, stating no evidence of its exploitation in live attacks.

However, subsequent analysis of an exploit tool deployed in recent incidents suggests that attackers may have compiled the exploit before the patch release, indicating possible zero-day exploitation by at least one threat actor group.

Cybersecurity researchers investigated a recent attempted ransomware attack where the exploit tool was deployed. While the attackers failed to execute a ransomware payload in this instance, their tactics closely mirrored those attributed to Black Basta. This included batch scripts disguised as software updates, a hallmark strategy of Black Basta attacks.

What is a Zero-day exploit and how to protect against it?
Researchers discovered that attackers exploited the Windows zero-day flaw since December 2023.

“Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity. These included the use of batch scripts masquerading as software updates,” said cybersecurity researchers from Symantec.

The exploit tool leverages a flaw in the Windows file werkernel.sys, exploiting a null security descriptor to create registry keys with elevated privileges. When cybersecurity researchers analysed the tool used in the attack, they discovered a compilation timestamp of February 27, 2024, predating the patch release by several weeks.

A second variant of the tool was also discovered on VirusTotal with a timestamp from December 18, 2023.

According to the researchers, while timestamps in executable files can be altered, the lack of incentive for attackers to backdate timestamps raised suspicions of zero-day exploitation in this case.

Black Basta, introduced by Cardinal in April 2022, initially relied on the Qakbot botnet for distribution. Despite researchers noting a decline in their activity following law enforcement action against them in August 2023, Cardinal has since resumed operations and is now collaborating with DarkGate loader operators to target potential victims.

In the News: Brazil partners with OpenAI for lawsuit analysis to curb costs

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: