Black Basta ransomware gang may have exploited Windows flaw before it was patched

The group operating the notorious Black Basta ransomware may have exploited a recently patched Windows vulnerability as a zero-day, researchers have found.

In March, a high-severity flaw — tracked as CVE-2024-26169 — was discovered in the Windows Error Reporting Service, a feature in Windows that helps Microsoft identify and fix problems with the operating system and other software.

The successful exploitation of the vulnerability could allow attackers to gain control over the entire system.

The flaw was patched in March, and at the time Microsoft stated there was no evidence of its exploitation in the wild.

However, a new analysis by Symantec of an exploit tool deployed in recent attacks revealed evidence that it could have been made prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day.

Microsoft did not respond to a request for comment.

This exploit tool was used in a recently attempted ransomware attack similar to those described in a Microsoft report detailing Black Basta activity. The hacker group operating the ransomware, known as Cardinal or Storm-1811, did not succeed in deploying a ransomware payload in the attack, researchers said.

Cardinal introduced Black Basta in April 2022, and from its inception the ransomware was closely associated with the Qakbot botnet, which appeared to be its primary infection vector.

Qakbot was one of the world’s most prolific malware distribution botnets until it was taken down in August 2023, leading to a decline in Black Basta activity. Cardinal has since resumed attacks and now appears to have switched to working with the operators of the DarkGate loader to obtain access to potential victims, according to Symantec.

Learn more.