Black Basta may have exploited Microsoft flaw before a patch was issued
Symantec says it found evidence the flaw was exploited as a zero-day, despite Microsoft statement
The Black Basta ransomware group appears to have exploited a Windows privilege escalation vulnerability before Microsoft was able to issue a patch.
According to Symantec, the vulnerability - CVE-2024-26169 - occurs in the Windows Error Reporting Service, and if exploited on affected systems can allow an attacker to elevate their privileges.
The vulnerability was patched on March 12 this year, with Microsoft reassuring users there was no evidence that it had been exploited in the wild.
However, researchers at Symantec said analysis of an exploit tool deployed in recent attacks shows it could have been compiled before the patch was released - meaning that at least one group may have been exploiting the vulnerability as a zero-day.
The exploit tool was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team.
Researchers said that while the attackers didn't succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity.
These included the use of batch scripts masquerading as software updates.
"Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack," the firm said.
Black Basta, also known as Cardinal, Storm-1811, and UNC4393, has been around since 2022, and is believed to have emerged from the Conti ransomware group, which shut down that year.
Since then, it's targeted more than 500 organizations, many in the healthcare industry. The group has reportedly earned more than $100 million through its attacks. It's been closely linked with the Qakbot botnet, which appeared to be its primary infection vector.
While Qakbot was taken down in August 2023, this only led to a dip in Black Basta activity. The group has since resumed its attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims.
Kevin Robertson, chief operations officer and co-founder of security firm Acumen, said any organizations that haven't yet patched the flaw should do so immediately.
RELATED WHITEPAPER
"When Microsoft patched CVE-2024-26169 back in March, it said there was no evidence it had been exploited, but it now appears this might not be the case. This could have put organizations into a false sense of security, believing they were one step ahead of threat actors, when they were actually one step behind," he said.
"Software vendors have a duty to continuously hunt for and remediate vulnerabilities; otherwise, they are putting their customers at serious risk. They also have a duty to investigate if vulnerabilities have been exploited in the wild before patches are released, because this could result in organizations missing compromises.”
-
Marc Benioff says hiring in software engineering is ‘mostly flat’ at Salesforce because of AINews Salesforce CEO Marc Benioff has revealed hiring for software engineering has dipped as a result of AI, but the CRM giant is ramping up recruitment in other key areas to push its agentic agenda.
-
Are AI browsers a golden opportunity or cybersecurity nightmare?In-depth AI browsers are on the rise despite the concrete risks associated with using them
-
Microsoft just took down notorious cyber crime marketplace RedVDS – and found hackers were using ChatGPT and its own Copilot tool to wage attacksNews Microsoft worked closely with law enforcement to take down the notorious RedVDS cyber crime service – and found tools like ChatGPT and its own Copilot were being used by hackers.
-
These Microsoft Teams security features will be turned on by default this month – here's what admins need to knowNews From 12 January, weaponizable file type protection, malicious URL detection, and a system for reporting false positives will all be automatically activated.
-
The Microsoft bug bounty program just got a big update — and even applies to third-party codeNews Microsoft is expanding its bug bounty program to cover all of its products, even those that haven't previously been covered by a bounty before and even third-party code.
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushback
News A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
