Black Basta Exploits Patched Windows Privilege Escalation Bug

There’s a strong possibility that the Cardinal cybercrime group that operates the Black Basta ransomware may have been exploiting a recently patched Windows privilege escalation bug as a zero-day.

In a June 12 blog post, Symantec researchers said the bug — CVE-2024-26169 — occurs in the Windows Error Reporting Service and if exploited can let an attacker escalate their privileges.

While the vulnerability was patched on March 12, Microsoft said at the time that there was no evidence of exploitation in the wild. However, the Symantec researchers said analysis of an exploit tool deployed in recent attacks found evidence that it could have been compiled prior to patching, which means at least one group could have exploited the bug as a zero-day.

The researchers said the exploit tool was used in a recently failed ransomware attack that the Symantec team investigated. Although the attackers did not succeed in deploying ransomware, the researchers said the tactics, techniques and procedures (TTPs) used were very similar to those described by Microsoft in a May 15 report on Black Basta activity.

Security pros track Black Basta closely because last month the FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency issued an alert that the Black Basta gang targets the healthcare industry and 12 of the 16 critical infrastructure sectors identified by the federal government. CNN reported back in May that Black Basta was responsible for the attack on the Ascenison health system. 

While Black Basta is not as well-known as others, it’s still a top 10 ransomware threat globally, said Ken Dunham, cyber threat director at Qualys. In 2023, Black Basta increased pressure on victims by publishing sensitive credentials and IP addresses to enable attacks by others, unless paid by victims, he continued.

“These aggressive tactics are certainly a cause for concern, and when combined with a top 10 prevalence, are justification for prioritized patching of CVE-2024-26169, which is now reportedly being targeted for exploitation by Black Basta,” said Dunham.

Dustin Sachs, chief technologist and senior director of programs at CyberRisk Alliance, said while the CVE was patched, it’s unlikely that most security teams applied it since it was only high-severity with a CVSS score of 7.8 — not critical.

“Most teams are backed up and would not focus on a CVE much below 8.0,” said Sachs.

Callie Guenther, senior manager of cyber threat research at Critical Start, added that the exploitation of CVE-2024-26169 by Black Basta highlights the threat posed by ransomware groups using zero-day vulnerabilities. Guenther said organizations must prioritize timely patch management, as the delay in applying security updates can leave systems vulnerable to such high-severity exploits.

“From an intelligence perspective, this incident demonstrates the evolving tactics of cybercriminal groups, particularly their ability to deploy sophisticated tools and strategies quickly,” said Guenther. “Black Basta’s use of batch scripts disguised as software updates to establish persistence and their leveraging of the DarkGate loader for initial infection emphasizes the need for comprehensive threat intelligence and monitoring.”