Black Basta may have exploited Microsoft flaw before a patch was issued
Symantec says it found evidence the flaw was exploited as a zero-day, despite Microsoft statement


The Black Basta ransomware group appears to have exploited a Windows privilege escalation vulnerability before Microsoft was able to issue a patch.
According to Symantec, the vulnerability - CVE-2024-26169 - occurs in the Windows Error Reporting Service, and if exploited on affected systems can allow an attacker to elevate their privileges.
The vulnerability was patched on March 12 this year, with Microsoft reassuring users there was no evidence that it had been exploited in the wild.
However, researchers at Symantec said analysis of an exploit tool deployed in recent attacks shows it could have been compiled before the patch was released - meaning that at least one group may have been exploiting the vulnerability as a zero-day.
The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team.
Researchers said that while the attackers didn't succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity.
These included the use of batch scripts masquerading as software updates.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack," the firm said.
Black Basta, also known as Cardinal, Storm-1811, and UNC4393, has been around since 2022, and is believed to have emerged from the Conti ransomware group, which shut down that year.
Since then, it's targeted more than 500 organizations, many in the healthcare industry. The group has reportedly earned more than $100 million through its attacks. It's been closely linked with the Qakbot botnet, which appeared to be its primary infection vector.
While Qakbot was taken down in August 2023, this only led to a dip in Black Basta activity. The group has since resumed its attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.
Kevin Robertson, chief operations officer and co-founder of security firm Acumen, said any organizations that haven't yet patched the flaw should do so immediately.
RELATED WHITEPAPER
"When Microsoft patched CVE-2024-26169 back in March, it said there was no evidence it had been exploited, but it now appears this might not be the case. This could have put organizations into a false sense of security, believing they were one step ahead of threat actors, when they were actually one step behind," he said.
"Software vendors have a duty to continuously hunt for and remediate vulnerabilities; otherwise, they are putting their customers at serious risk. They also have a duty to investigate if vulnerabilities have been exploited in the wild before patches are released, because this could result in organizations missing compromises.”
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie Published
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Microsoft is increasing payouts for its Copilot bug bounty program
News Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
By Nicole Kobie Published
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
By Solomon Klappholz Published
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA
News Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
By Solomon Klappholz Published
-
Hackers are using Microsoft Teams to conduct “email bombing” attacks
News Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
By George Fitzmaurice Published
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
By Solomon Klappholz Published