CVE-2024-26169: Active Exploitation of Windows Elevation of Privilege Flaw

Executive Summary

CVE-2024-26169, an Exploitation of Windows Elevation of Privilege Flaw in the Windows Error Reporting (WER) Service, has been actively exploited in the wild, notably by the Black Basta ransomware group. This vulnerability, if left unaddressed, can allow local attackers to gain higher-level privileges, posing a significant threat to organizations across multiple sectors, including critical infrastructure, healthcare, and financial services in the United States, European Union, and parts of Asia. The urgency for immediate patching and robust monitoring cannot be overstated.

Targeted Sectors and Countries

Sectors Targeted:

• Critical Infrastructure

• Healthcare

• Financial Services

Countries Targeted:

• United States

• European Union

• Parts of Asia

Exploitation of Windows Elevation of Privilege Flaw - Technical Information

CVE Identifier: CVE-2024-26169

Vulnerability Name: Windows Error Reporting Service Elevation of Privilege Vulnerability

Impact: Elevation of Privilege

Severity: Important

Affected Systems: Microsoft Windows

Date Added: Refer to NVD for the specific date of addition

Description: CVE-2024-26169 is an elevation of privilege vulnerability within the Windows Error Reporting Service. This flaw allows local attackers with user permissions to gain elevated privileges due to improper privilege management. The vulnerability stems from the WER service's failure to correctly assign, modify, track, or check user privileges, thus creating an unintended sphere of control for the attacker.

Attack Vector:

• Local: The attacker must have local access to the system.

• Access Complexity: Low

• Authentication Required: None

• Impact on Confidentiality: None

• Impact on Integrity: High

• Impact on Availability: High

Technical Details: The vulnerability is exploited by manipulating the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges.

Exploitation in the Wild

Recent intelligence reports indicate that the Black Basta ransomware group has been exploiting CVE-2024-26169 as a zero-day vulnerability. The exploitation tool was compiled before the patch release, suggesting active exploitation prior to public disclosure.

Indicators of Compromise (IOCs):

• Exploit Tools:

• SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63

• SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0

• Batch Scripts:

• SHA256: a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d

• SHA256: 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d

• SHA256: 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625

• Remote Access Tools:

• SHA256: b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e

APT Groups using this vulnerability

Black Basta Ransomware (Cardinal Group aka Storm-1811, UNC4393):

• Sectors Targeted: Multiple sectors including critical infrastructure, healthcare, and financial services.

• Countries Targeted: Primarily the United States, European Union countries, and parts of Asia.

MITRE ATT Framework:

• Tactic: Privilege Escalation (TA0004)

• Technique: Exploitation for Privilege Escalation (T1068)

Affected Product Versions

The following products and versions are affected by CVE-2024-26169:

1. Microsoft Windows 10

• Versions: 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2

1. Microsoft Windows 11

• Versions: 21H2, 22H2

1. Microsoft Windows Server

• Versions: 2016, 2019, 2022

Workaround and Mitigation

Patch Management: Apply the latest security updates and patches provided by Microsoft to address this vulnerability.

Least Privilege Principle: Ensure users operate with the least privilege necessary to reduce potential exploitation vectors.

Monitoring and Detection: Implement robust monitoring to detect unusual behavior indicative of privilege escalation attempts.

Security Training: Educate users on the importance of maintaining security hygiene and recognizing potential exploitation tactics.

References

1. NVD - CVE-2024-26169 Detail

2. Microsoft Vulnerability Guide - CVE-2024-26169

3. MITRE CVE Database - CVE-2024-26169

4. Recorded Future Vulnerability Database - CVE-2024-26169

5. Rapid7 Vulnerability Exploit Database

6. CVE Details - CVE-2024-26169

7. Feedly CVE Feed - CVE-2024-26169