SECURITY
SECURITY
SECURITY
Black Basta suspected of using patched Windows flaw in recent cyberattacks
A new report released today by the Threat Hunter Team at Symantec warns that attackers linked to the Black Basta ransomware gang may be exploiting a recently patched Windows privilege escalation vulnerability.
The vulnerability, designated CVE-2024-26169, is found in the Windows Error Reporting Service and if exploited, can permit attackers to elevate their privileges. The vulnerability was patched in March and Microsoft Corp. said at the time that there was no evidence of its exploitation in the wild. But fast-forward to June and that has changed.
Symantec’s researchers have found that an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning that a group may have been exploiting the vulnerability. More recent attacks, while not successful, were highly similar to those of Black Basta, including the use of tactics, techniques and procedures, or TTPs, and the use of batch scripts masquerading as software updates.
“Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack,” the researchers noted.
The Black Basta gang first appeared in April 2022 and was believed at the time to be an offshoot of the Conti ransomware gang. Black Basta has previously used QakBot malware to create an initial point of entry and move laterally within an organization’s network.
Discussing the news, Jim Routh, chief trust officer at cybersecurity company Saviynt Inc. told SiliconANGLE that “these exploits are not necessarily zero-days based on the updates being available for months, but they appear to have been successful ransomware-as-a-service attacks before the Windows patches were installed by the victimized enterprises. Escalation of privileges in Windows is critical for ransomware attacks to both exfiltrate and encrypt data at scale.”
Callie Guenther, senior manager of cyber threat research at managed detection and response firm Critical Start Inc., said that “the exploitation of the vulnerability by Black Basta highlights the threat posed by ransomware groups using zero-day or previously unknown vulnerabilities.
“From an intelligence perspective, this incident demonstrates the evolving tactics of cybercriminal groups, particularly their ability to deploy sophisticated tools and strategies quickly,” Guenther added. “Black Basta’s use of batch scripts disguised as software updates to establish persistence and their leveraging of the DarkGate loader for initial infection emphasizes the need for comprehensive threat intelligence and monitoring.”
Image: Needpix
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
