UPDATED 20:04 EDT / JUNE 12 2024


Black Basta suspected of using patched Windows flaw in recent cyber attacks

new report released today by the Threat Hunter Team at Symantec is warning that attackers linked to the Black Basta ransomware gang may be exploiting a recently patched Windows privilege escalation vulnerability.

The vulnerability – CVE-2024-26169 – is found in the Windows Error Reporting Service and if exploited, can permit an attacker to elevate their privileges. The vulnerability was patched in March with Microsoft Corp. saying at the time that there was no evidence of its exploitation in the wild; however, fast-forward to June and that has changed.

Symantec’s researchers have found that an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning that a group may have been exploiting the vulnerability as a zero-day. More recent attacks, while not successful, were highly similar to those of Black Basta, including the use of tactics, techniques and procedures and the use of batch scripts masquerading as software updates.

“Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack,” the researchers note.

The Black Basta gang first appeared in April 2022 and was believed at the time to be an offshoot of the Conti ransomware gang. Black Basta has previously used QakBot malware to create an initial point of entry and move laterally within an organization’s network.

Discussing the news, Jim Routh, chief trust officer at cybersecurity company Saviynt Inc. told SiliconANGLE that “these exploits are not necessarily zero-days based on the updates being available for months, but they appear to have been successful ransomware-as-a-service attacks before the Windows patches were installed by the victimized enterprises. Escalation of privileges in Windows is critical for ransomware attacks to both exfiltrate and encrypt data at scale.”

Callie Guenther, senior manager of cyber threat research at managed detection and response firm Critical Start Inc., commented that “the exploitation of CVE-2024-26169 by Black Basta highlights the threat posed by ransomware groups utilizing zero-day vulnerabilities.”

“From an intelligence perspective, this incident demonstrates the evolving tactics of cybercriminal groups, particularly their ability to deploy sophisticated tools and strategies quickly,” Guenther added. “Black Basta’s use of batch scripts disguised as software updates to establish persistence and their leveraging of the DarkGate loader for initial infection emphasizes the need for comprehensive threat intelligence and monitoring.”

Image: Needpix

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy