Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Ransomware Group May Have Exploited Windows Vulnerability as Zero-Day

The Black Basta ransomware gang may have exploited the Windows privilege escalation flaw CVE-2024-26169 before it was patched.

A known ransomware group may have exploited a recently patched Windows privilege escalation vulnerability before Microsoft released a fix, Symantec reported on Wednesday.

The flaw in question, tracked as CVE-2024-26169 and classified as ‘important’, has been described as a Windows error reporting service privilege escalation vulnerability that can allow an attacker to obtain System privileges. 

Microsoft’s advisory for CVE-2024-26169, which the tech giant released on March 12 when it patched the vulnerability, indicates that the company is not aware of malicious exploitation. In addition, the security bug has an exploitability assessment of ‘less likely’. 

However, Broadcom’s Symantec says it has found evidence suggesting that the Black Basta ransomware group (aka Cardinal, Storm-1811 and UNC4393) may have actually exploited this vulnerability as a zero-day.

While investigating a ransomware attack, Symantec researchers uncovered a tool that appears to exploit CVE-2024-26169 to start a shell with administrative privileges.

The researchers uncovered two versions of this tool: one with a compilation timestamp of February 27, 2024, and one with a timestamp of December 18, 2023.

“Time stamp values in portable executables are modifiable, which means that a time stamp is not conclusive evidence that the attackers were using the exploit as a zero-day,” Symantec explained. “However, in this case there appears to be little motivation for the attackers to change the time stamp to an earlier date.”

Contacted by SecurityWeek, Microsoft stated, “This issue was addressed in March, and customers who apply the fix are protected. Our security software also includes detections to protect against the malware.”

Advertisement. Scroll to continue reading.

A recent alert authored by multiple US government agencies showed that the Black Basta ransomware group hit more than 500 organizations around the world. 

A report published last year estimated that 90 Black Basta victims paid over $100 million to the cybercriminals. 

*updated with statement from Microsoft

Related: Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws

Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders

Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights