A known ransomware group may have exploited a recently patched Windows privilege escalation vulnerability before Microsoft released a fix, Symantec reported on Wednesday.
The flaw in question, tracked as CVE-2024-26169 and classified as ‘important’, has been described as a Windows error reporting service privilege escalation vulnerability that can allow an attacker to obtain System privileges.
Microsoft’s advisory for CVE-2024-26169, which the tech giant released on March 12 when it patched the vulnerability, indicates that the company is not aware of malicious exploitation. In addition, the security bug has an exploitability assessment of ‘less likely’.
However, Broadcom’s Symantec says it has found evidence suggesting that the Black Basta ransomware group (aka Cardinal, Storm-1811 and UNC4393) may have actually exploited this vulnerability as a zero-day.
While investigating a ransomware attack, Symantec researchers uncovered a tool that appears to exploit CVE-2024-26169 to start a shell with administrative privileges.
The researchers uncovered two versions of this tool: one with a compilation timestamp of February 27, 2024, and one with a timestamp of December 18, 2023.
“Time stamp values in portable executables are modifiable, which means that a time stamp is not conclusive evidence that the attackers were using the exploit as a zero-day,” Symantec explained. “However, in this case there appears to be little motivation for the attackers to change the time stamp to an earlier date.”
Contacted by SecurityWeek, Microsoft stated, “This issue was addressed in March, and customers who apply the fix are protected. Our security software also includes detections to protect against the malware.”
A recent alert authored by multiple US government agencies showed that the Black Basta ransomware group hit more than 500 organizations around the world.
A report published last year estimated that 90 Black Basta victims paid over $100 million to the cybercriminals.
*updated with statement from Microsoft
Related: Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws
Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders
Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
