Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
June 12, 2024, 1:31 p.m.
Tags
External References
Description
Recent analysis by a cybersecurity firm suggests that a ransomware group might have exploited a Windows privilege escalation vulnerability, CVE-2024-26169, before it was patched. The vulnerability, which was addressed in March 2024, could allow attackers to elevate their privileges. Evidence from an exploit tool deployed in attempted attacks resembles tactics used by the Cardinal cybercrime group, known for operating the Black Basta ransomware. The tool's compilation timestamps predate the vulnerability's patching, indicating it was potentially leveraged as a zero-day.
Date
| Published | Created | Modified |
|---|---|---|
| June 12, 2024, 1:01 p.m. | June 12, 2024, 1:01 p.m. | June 12, 2024, 1:31 p.m. |
Indicators
b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0
a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d
4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63
3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625
Attack Patterns
Black Basta - S1070
QakBot - S0650
T1137
T1567
T1489
T1574
T1105
T1055
T1569
T1499
T1566
T1133
T1078
T1068
T1003
T1059
CVE-2024-26169