Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity. These included the use of batch scripts masquerading as software updates.
The exploit tool seems to rely on the fact that a specific file, werkernel.sys, uses a 'null' security descriptor when it creates registry keys, enabling the ransomware gang to manipulate registry keys and settings.
#microsoft-windows-error-reporting-service #cve-2024-26169 #zero-day-exploit #black-basta-ransomware-gang #symantec-threat-hunter-team
Collection
[
|
...
]