Black Basta might have exploited Microsoft flaw as zero-day

The Black Basta ransomware group might have exploited a previously disclosed and patched Microsoft Windows elevation of privilege vulnerability as a zero-day, according to new research by Symantec.

In a blog post on Wednesday, Broadcom's Symantec linked possible zero-day exploitation of a Windows Error Reporting Service elevation of privilege vulnerability, tracked as CVE-2024-26169, to Black Basta activity. Microsoft initially issued a security update and patch release for the flaw on March 12, but said there were no reports of exploitation and rated exploitation possibility as "less likely."

However, while working on a recent ransomware incident response investigation, the Symantec Threat Hunter Team discovered evidence to suggest the Cardinal cybercrime group, also known as Black Basta, might have exploited CVE-2024-26169 in the wild.

"Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity. These included the use of batch scripts masquerading as software updates," Symantec's Threat Hunter Team wrote in the blog.

Beginning in mid-April, Microsoft observed Black Basta -- or what it tracks as Storm-1811 -- abusing Quick Assist, the vendor's client management tool, in a social engineering campaign against targeted users. Threat actors used vishing to lure victims in, then deployed malicious remote monitoring and management tools such as ConnectWise's ScreenConnect, which also contained a vulnerability that was under attack recently. During the campaign, Microsoft then observed the use of Qakbot malware before Black Basta ransomware was deployed.

In Wednesday's blog post, Symantec emphasized that Black Basta activity was "closely associated with the Qakbot botnet" until law enforcement took down the malware last year, an action Symantec said hindered Black Basta activity. Prior to that, Black Basta was highly active, and it might be gaining traction again.

Insurer Corvus and blockchain analytics vendor Elliptic reported that Black Basta received more than $100 million in payments from when it emerged in 2022 up until late 2023. Symantec referred to the group as a "revived threat" in Wednesday's blog post.

In addition to the Qakbot and similar TTPs connection, Symantec also observed that threat actors leveraged Windows vulnerabilities to "start a shell with administrative privileges." Based on the investigation, Symantec assessed that the exploit tool deployed during the Quick Assist social engineering campaign suggests that Black Basta has been exploiting CVE-2024-26169 as a zero-day vulnerability.

Based on the timestamps, threat actors deployed one variant of the exploit tool on Feb. 27 and another in December, three months before Microsoft patched CVE-2024-26169. However, since the attack failed, Symantec did not observe deployment of the final ransomware payload.

"Time stamp values in portable executables are modifiable, which means that a time stamp is not conclusive evidence that the attackers were using the exploit as a zero-day. However, in this case there appears to be little motivation for the attackers to change the time stamp to an earlier date," the blog read.

Dick O'Brien, principal intelligence analyst on Symantec's Threat Hunter Team, expanded on the potential attack scope in an email to TechTarget Editorial.

"We saw it being used in what appeared to be an attempted Black Basta attack," O'Brien said. "It's reasonable to assume that this affiliate at least was using the exploit in their toolkit for some time."

O'Brien added that Symantec did not contact Microsoft since the vulnerability was patched by the time Symantec discovered the exploit.

UPDATE:  A Microsoft spokesperson provided the following statement to TechTarget Editorial: "This issue was addressed in March, and customers who apply the fix are protected. Our security software also includes detections to protect against the malware."

This article was updated on 6/13/24.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.