Black Basta ransomware gang may have exploited Windows flaw before it was patched

Summary: The content discusses the potential exploitation of a recently patched Windows vulnerability by the threat actor behind the Black Basta ransomware.

Threat Actor: Black Basta ransomware | Black Basta ransomware
Victim: Not specified

Key Point :

  • The Black Basta ransomware group may have used a recently patched Windows vulnerability as a zero-day exploit.
  • The vulnerability, tracked as CVE-2024-26169, was discovered in the Windows Error Reporting Service and could allow attackers to gain control over the entire system.
  • The flaw was patched in March, but a new analysis suggests that at least one group exploited it as a zero-day before the patch was released.

The group operating the notorious Black Basta ransomware may have exploited a recently patched Windows vulnerability as a zero-day, researchers have found.

In March, a high-severity flaw — tracked as CVE-2024-26169 — was discovered in the Windows Error Reporting Service, a feature in Windows that helps Microsoft identify and fix problems with the operating system and other software.

The successful exploitation of the vulnerability could allow attackers to gain control over the entire system.

The flaw was patched in March, and at the time Microsoft stated there was no evidence of its exploitation in the wild.

However, a new analysis by Symantec of an exploit tool deployed in recent attacks revealed evidence that it could have been made prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day.

Microsoft did not respond to a request for comment.

This exploit tool was used in a recently attempted ransomware attack similar to those described in a Microsoft report detailing Black Basta activity. The hacker group operating the ransomware, known as Cardinal or Storm-1811, did not succeed in deploying a ransomware payload in the attack, researchers said.

Cardinal introduced Black Basta in April 2022, and from its inception the ransomware was closely associated with the Qakbot botnet, which appeared to be its primary infection vector.

Qakbot was one of the world’s most prolific malware distribution botnets until it was taken down in August 2023, leading to a decline in Black Basta activity. Cardinal has since resumed attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims, according to Symantec.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Source: https://therecord.media/black-basta-ransomware-zero-day-windows


“An interesting youtube video that may be related to the article above”