Black Basta Ransomware Suspected of Exploiting Windows 0-day Before Patch


The notorious Black Basta ransomware group is believed to have taken advantage of a high-severity Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day exploit before Microsoft released a fix.

This critical security vulnerability in the Windows Error Reporting Service allowed threat actors to gain SYSTEM-level privileges, significantly increasing their control over infected systems.

Microsoft addressed the issue on March 12, 2024, through its regular Patch Tuesday updates. Despite the vendor’s claim that there was no active exploitation of the vulnerability, a new report by Symantec shared with Hackread.com ahead of publication on Wednesday, reveals that the Cardinal cybercrime group, also known as Storm-1811 and UNC4394, and the operators of the Black Basta gang, have been actively exploiting CVE-2024-26169.

According to the Threat Hunter Team at Symantec, there is strong evidence suggesting that the vulnerability was leveraged as a zero-day exploit. The term “zero-day” refers to the use of a vulnerability before it has been publicly known or patched, giving attackers a significant advantage.

Symantec examined an attempted ransomware attack where an exploit tool for CVE-2024-26169 was employed after initial infection by the DarkGate loader, a malware frequently used by Black Basta since the QakBot takedown.

The attackers used batch scripts disguised as software updates to execute malicious commands and maintain persistence on compromised systems, a hallmark tactic of the Black Basta group.

According to Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, Although Black Basta may not be as widely recognized as other ransomware threats, it ranks among the top ten globally.

In 2023, the group escalated pressure on victims by releasing sensitive credentials and IP addresses, enabling further attacks unless ransom demands were met. These aggressive tactics, coupled with Black Basta’s prevalence, highlight the need for prioritized patching of CVE-2024-26169, which is now being targeted by the group, Ken emphasised.

Nevertheless, this latest finding further highlights the importance of staying updated with security patches and maintaining proper cybersecurity measures to protect against emerging threats like the Black Basta ransomware gang.

  1. Windows Defender Flaw Exploited by Phemedrone Stealer
  2. Critical New Outlook RCE Vulnerability Exploits Preview Pane
  3. 7-Year-Old 0-Day in MS Office Exploited to Drop Cobalt Strike
  4. Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Backdoor
  5. MS Outlook Vulnerability Exploited by Russian Forest Blizzard Group





Source link