The Black Basta ransomware group appears to have exploited a Windows privilege escalation vulnerability before Microsoft was able to issue a patch.
According to Symantec, the vulnerability - CVE-2024-26169 - occurs in the Windows Error Reporting Service, and if exploited on affected systems can allow an attacker to elevate their privileges.
The vulnerability was patched on March 12 this year, with Microsoft reassuring users there was no evidence that it had been exploited in the wild.
However, researchers at Symantec said analysis of an exploit tool deployed in recent attacks shows it could have been compiled before the patch was released - meaning that at least one group may have been exploiting the vulnerability as a zero-day.
The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team.
Researchers said that while the attackers didn't succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity.
These included the use of batch scripts masquerading as software updates.
"Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack," the firm said.
Black Basta, also known as Cardinal, Storm-1811, and UNC4393, has been around since 2022, and is believed to have emerged from the Conti ransomware group, which shut down that year.
Since then, it's targeted more than 500 organizations, many in the healthcare industry. The group has reportedly earned more than $100 million through its attacks. It's been closely linked with the Qakbot botnet, which appeared to be its primary infection vector.
While Qakbot was taken down in August 2023, this only led to a dip in Black Basta activity. The group has since resumed its attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.
Kevin Robertson, chief operations officer and co-founder of security firm Acumen, said any organizations that haven't yet patched the flaw should do so immediately.
RELATED WHITEPAPER
"When Microsoft patched CVE-2024-26169 back in March, it said there was no evidence it had been exploited, but it now appears this might not be the case. This could have put organizations into a false sense of security, believing they were one step ahead of threat actors, when they were actually one step behind," he said.
"Software vendors have a duty to continuously hunt for and remediate vulnerabilities; otherwise, they are putting their customers at serious risk. They also have a duty to investigate if vulnerabilities have been exploited in the wild before patches are released, because this could result in organizations missing compromises.”
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
