CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Ransomware

Ransomware Group May Have Exploited Windows Vulnerability as Zero-Day

The Black Basta ransomware gang may have exploited the Windows privilege escalation flaw CVE-2024-26169 before it was patched. The post Ransomware Group May Have Exploited Windows Vulnerability as Zero-Day appeared first on SecurityWeek.

A known ransomware group may have exploited a recently patched Windows privilege escalation vulnerability before Microsoft released a fix, Symantec reported on Wednesday.

The flaw in question, tracked as CVE-2024-26169 and classified as ‘important’, has been described as a Windows error reporting service privilege escalation vulnerability that can allow an attacker to obtain System privileges. 

Microsoft’s advisory for CVE-2024-26169, which the tech giant released on March 12 when it patched the vulnerability, indicates that the company is not aware of malicious exploitation. In addition, the security bug has an exploitability assessment of ‘less likely’. 

However, Broadcom’s Symantec says it has found evidence suggesting that the Black Basta ransomware group (aka Cardinal, Storm-1811 and UNC4393) may have actually exploited this vulnerability as a zero-day.

While investigating a ransomware attack, Symantec researchers uncovered a tool that appears to exploit CVE-2024-26169 to start a shell with administrative privileges.

The researchers uncovered two versions of this tool: one with a compilation timestamp of February 27, 2024, and one with a timestamp of December 18, 2023.

“Time stamp values in portable executables are modifiable, which means that a time stamp is not conclusive evidence that the attackers were using the exploit as a zero-day,” Symantec explained. “However, in this case there appears to be little motivation for the attackers to change the time stamp to an earlier date.”

Contacted by SecurityWeek, Microsoft stated, “This issue was addressed in March, and customers who apply the fix are protected. Our security software also includes detections to protect against the malware.”

A recent alert authored by multiple US government agencies showed that the Black Basta ransomware group hit more than 500 organizations around the world. 

A report published last year estimated that 90 Black Basta victims paid over $100 million to the cybercriminals. 

*updated with statement from Microsoft

Related: Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws

Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders

Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

Latest News

CYBERNEWSMEDIAPublisher