Highlights:

  • Researchers at Symantec have discovered that an exploit tool used in recent attacks has evidence that it may have been assembled before patching, suggesting that a group may have exploited the vulnerability.
  • When the Black Basta gang initially surfaced in April 2022, it was thought to be a branch of the Conti ransomware group.

The latest report by the Threat Hunter Team at Symantec alerts that the ransomware gang, Black Basta is allegedly exploiting a patched Windows privilege escalation susceptibility.

The Windows Error Reporting Service contains a vulnerability with the designation CVE-2024-26169 that, if exploited, could allow attackers to escalate their privileges. When the flaw was fixed in March, Microsoft Corp. reported that there was no proof the flaw was being used in the wild. However, by June, things have altered.

Researchers at Symantec have discovered that an exploit tool used in recent attacks has evidence that it may have been assembled before patching, suggesting that a group may have exploited the vulnerability. Even though they were unsuccessful, more recent attacks had a striking resemblance to Black Basta’s since they also used batch scripts that were disguising themselves as software updates and employed tactics, methods, and procedures, or TTPs.

“Although no payload was deployed, the similarities in TTPs make it highly likely it was a failed Black Basta attack,” the researchers reported.

When the Black Basta gang initially surfaced in April 2022, it was thought to be a branch of the Conti ransomware group. In the past, Black Basta entered an organization’s network through the QakBot malware, which allows it to travel laterally within the network.

Chief Trust Officer at cybersecurity company Saviynt Inc., Jim Routh said, “These exploits are not necessarily zero-days based on the updates being available for months, but they appear to have been successful ransomware-as-a-service attacks before the victimized enterprises installed the Windows patches. Escalation of privileges in Windows is critical for ransomware attacks to both exfiltrate and encrypt data at scale.”

Callie Guenther, Senior Manager of cyber threat research at managed detection and response firm Critical Start Inc., stated that “The exploitation of the vulnerability by Black Basta highlights the threat posed by ransomware groups using zero-day or previously unknown vulnerabilities.”

“From an intelligence perspective, this incident demonstrates the evolving tactics of cybercriminal groups, particularly their ability to deploy sophisticated tools and strategies quickly. Black Basta’s use of batch scripts disguised as software updates to establish persistence and their leveraging of the DarkGate loader for initial infection emphasizes the need for comprehensive threat intelligence and monitoring,” added Guenther.