A new report released today by the Threat Hunter Team at Symantec warns that attackers linked to the Black Basta ransomware gang may be exploiting a recently patched Windows privilege escalation vulnerability.

The vulnerability, designated CVE-2024-26169, is found in the Windows Error Reporting Service and if exploited, can permit attackers to elevate their privileges. The vulnerability was patched in March and Microsoft Corp. said at the time that there was no evidence of its exploitation in the wild. But fast-forward to June and that has changed.

Symantec’s researchers have found that an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning that a group may have been exploiting the vulnerability. More recent attacks, while not successful, were highly similar to those of Black Basta, including the use of tactics, techniques and procedures, or TTPs, and the use of batch scripts masquerading as software updates.

“Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack,” the researchers noted.

The Black Basta gang first appeared in April 2022 and was believed at the time to be an offshoot of the Conti ransomware gang. Black Basta has previously used QakBot malware to create an initial point of entry and move laterally within an organization’s network.

Discussing the news, Jim Routh, chief trust officer at cybersecurity company Saviynt Inc. told SiliconANGLE that “these exploits are not necessarily zero-days based on the updates being available for months, but they appear to have been successful ransomware-as-a-service attacks before the Windows patches were installed by the victimized enterprises. Escalation of privileges in Windows is critical for ransomware attacks to both exfiltrate and encrypt data at scale.”

Callie Guenther, senior manager of cyber threat research at managed detection and response firm Critical Start Inc., said that “the exploitation of the vulnerability by Black Basta highlights the threat posed by ransomware groups using zero-day or previously unknown vulnerabilities.

“From an intelligence perspective, this incident demonstrates the evolving tactics of cybercriminal groups, particularly their ability to deploy sophisticated tools and strategies quickly,” Guenther added. “Black Basta’s use of batch scripts disguised as software updates to establish persistence and their leveraging of the DarkGate loader for initial infection emphasizes the need for comprehensive threat intelligence and monitoring.”

Image: Needpix