Symantec, a cybersecurity company under Broadcom, recently revealed new research suggesting that the Black Basta ransomware group may have taken advantage of a previously patched Microsoft Windows vulnerability as a zero-day exploit. The vulnerability in question, tracked as CVE-2024-26169, was initially addressed by Microsoft with a security update on March 12. At the time, Microsoft stated that there were no reports of exploitation and deemed the likelihood of exploitation as “less likely.”
However, during a recent investigation into a ransomware incident response, Symantec’s Threat Hunter Team uncovered evidence indicating that the Cardinal cybercrime group, also known as Black Basta, may have exploited the CVE-2024-26169 vulnerability in the wild. While the attempted attack did not culminate in the deployment of ransomware, the tactics used by the attackers closely mirrored those detailed in a recent Microsoft report on Black Basta activity. These tactics included the use of batch scripts disguised as software updates.
According to Symantec’s findings, Black Basta, also known as Storm-1811, was observed misusing Microsoft’s Quick Assist tool in a social engineering campaign starting in mid-April. The threat actors employed vishing techniques to lure victims and then deployed malicious remote monitoring and management tools like ConnectWise’s ScreenConnect, which had recently been targeted due to a vulnerability. Microsoft noted the use of Qakbot malware before Black Basta ransomware was deployed during this campaign.
Symantec highlighted in their blog post that Black Basta’s activity has been linked to the Qakbot botnet in the past. However, law enforcement actions against Qakbot last year hampered Black Basta’s operations temporarily. Nevertheless, the group appears to be regaining momentum, as evidenced by reports from insurers and blockchain analytics vendors indicating that Black Basta received over $100 million in ransom payments between 2022 and late 2023.
In addition to the use of Qakbot and similar techniques, Symantec identified instances where threat actors exploited Windows vulnerabilities to obtain administrative privileges. The investigation also revealed that the exploit tool used during the Quick Assist campaign suggested that Black Basta had been exploiting CVE-2024-26169 as a zero-day vulnerability.
Based on timestamps associated with the exploit tool, Symantec observed variants deployed in February and December, preceding Microsoft’s patch for CVE-2024-26169. Despite these attempts, the attack failed to result in the deployment of ransomware. The blog post acknowledged that timestamp values in portable executables can be altered, but in this case, there appeared to be little reason for the attackers to manipulate the timestamps.
Dick O’Brien, a principal intelligence analyst at Symantec, commented on the potential scope of the attack, indicating that the exploit was used in what seemed to be an attempted Black Basta attack. O’Brien noted that it was reasonable to assume that this affiliate had incorporated the exploit into their toolkit for some time. Symantec did not reach out to Microsoft about the vulnerability since it had already been patched by the time they discovered the exploit.
As of now, Microsoft has not responded to requests for comment on this matter. The evolving threat landscape highlighted by Symantec’s research underscores the importance of ongoing vigilance and proactive cybersecurity measures in combating ransomware and other malicious activities.
Arielle Waldman, a news writer for TechTarget Editorial specializing in enterprise security, contributed to this report. Waldman’s coverage highlights the critical role of cybersecurity professionals in safeguarding businesses and individuals against cyber threats.