Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day

June 12, 2024, 1:31 p.m.

Description

Recent analysis by a cybersecurity firm suggests that a ransomware group might have exploited a Windows privilege escalation vulnerability, CVE-2024-26169, before it was patched. The vulnerability, which was addressed in March 2024, could allow attackers to elevate their privileges. Evidence from an exploit tool deployed in attempted attacks resembles tactics used by the Cardinal cybercrime group, known for operating the Black Basta ransomware. The tool's compilation timestamps predate the vulnerability's patching, indicating it was potentially leveraged as a zero-day.

External References

https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
https://otx.alienvault.com/pulse/66699c44e633dec9c09e5752
Tags
black basta
2024-06-12

Date

  • Created: June 12, 2024, 1:01 p.m.
  • Published: June 12, 2024, 1:01 p.m.
  • Modified: June 12, 2024, 1:31 p.m.

Indicators

  • b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0
  • a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d
  • 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63
  • 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
  • 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625
Download all indicators here!

Attack Patterns

  • Black Basta - S1070
  • QakBot - S0650

Linked vulnerabilities

CVE-2024-26169

None
Published: