The Black Basta ransomware group appears to have exploited a Windows privilege escalation vulnerability before Microsoft was able to issue a patch.
According to Symantec, the vulnerability - CVE-2024-26169 - occurs in the Windows Error Reporting Service, and if exploited on affected systems can allow an attacker to elevate their privileges.
The vulnerability was patched on March 12 this year, with Microsoft reassuring users there was no evidence that it had been exploited in the wild.
However, researchers at Symantec said analysis of an exploit tool deployed in recent attacks shows it could have been compiled before the patch was released - meaning that at least one group may have been exploiting the vulnerability as a zero-day.
The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team.
Researchers said that while the attackers didn't succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity.
These included the use of batch scripts masquerading as software updates.
"Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack," the firm said.
Black Basta, also known as Cardinal, Storm-1811, and UNC4393, has been around since 2022, and is believed to have emerged from the Conti ransomware group, which shut down that year.
Since then, it's targeted more than 500 organizations, many in the healthcare industry. The group has reportedly earned more than $100 million through its attacks. It's been closely linked with the Qakbot botnet, which appeared to be its primary infection vector.
While Qakbot was taken down in August 2023, this only led to a dip in Black Basta activity. The group has since resumed its attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.
Kevin Robertson, chief operations officer and co-founder of security firm Acumen, said any organizations that haven't yet patched the flaw should do so immediately.
RELATED WHITEPAPER
"When Microsoft patched CVE-2024-26169 back in March, it said there was no evidence it had been exploited, but it now appears this might not be the case. This could have put organizations into a false sense of security, believing they were one step ahead of threat actors, when they were actually one step behind," he said.
"Software vendors have a duty to continuously hunt for and remediate vulnerabilities; otherwise, they are putting their customers at serious risk. They also have a duty to investigate if vulnerabilities have been exploited in the wild before patches are released, because this could result in organizations missing compromises.”
-
Cisco takes aim at AI security at RSAC with ServiceNow partnershipNews The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
Why veterans can excel in data centers – and could help the IT sector address its skill shortagesIn-depth Ex-military workers can bring software and hardware to civilian roles
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
