Black Basta may have exploited Microsoft flaw before a patch was issued

The Black Basta ransomware group appears to have exploited a Windows privilege escalation vulnerability before Microsoft was able to issue a patch.

According to Symantec, the vulnerability - CVE-2024-26169 - occurs in the Windows Error Reporting Service, and if exploited on affected systems can allow an attacker to elevate their privileges.

The vulnerability was patched on March 12 this year, with Microsoft reassuring users there was no evidence that it had been exploited in the wild.

However, researchers at Symantec said analysis of an exploit tool deployed in recent attacks shows it could have been compiled before the patch was released - meaning that at least one group may have been exploiting the vulnerability as a zero-day.

The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team.

Researchers said that while the attackers didn't succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity.

These included the use of batch scripts masquerading as software updates.

"Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack," the firm said.

Black Basta, also known as Cardinal, Storm-1811, and UNC4393, has been around since 2022, and is believed to have emerged from the Conti ransomware group, which shut down that year.

Since then, it's targeted more than 500 organizations, many in the healthcare industry. The group has reportedly earned more than $100 million through its attacks. It's been closely linked with the Qakbot botnet, which appeared to be its primary infection vector.

While Qakbot was taken down in August 2023, this only led to a dip in Black Basta activity. The group has since resumed its attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.

Kevin Robertson, chief operations officer and co-founder of security firm Acumen, said any organizations that haven't yet patched the flaw should do so immediately.

"When Microsoft patched CVE-2024-26169 back in March, it said there was no evidence it had been exploited, but it now appears this might not be the case. This could have put organizations into a false sense of security, believing they were one step ahead of threat actors, when they were actually one step behind," he said.

"Software vendors have a duty to continuously hunt for and remediate vulnerabilities; otherwise, they are putting their customers at serious risk. They also have a duty to investigate if vulnerabilities have been exploited in the wild before patches are released, because this could result in organizations missing compromises.”