Symantec has reported that the Black Basta ransomware group may have exploited a recently patched Windows privilege escalation vulnerability (CVE-2024-26169) before Microsoft released a fix. The vulnerability, classified as ‘important’, involves the Windows error reporting service and can allow attackers to obtain System privileges. Although Microsoft’s advisory, issued on March 12, indicated no known malicious exploitation and rated the exploitability as ‘less likely’, Symantec’s investigation into a ransomware attack revealed a tool exploiting this flaw to start a shell with administrative privileges. This tool had compilation timestamps of December 18, 2023, and February 27, 2024, suggesting potential zero-day exploitation. Despite timestamp modifiability, Symantec sees little motivation for attackers to backdate timestamps. The Black Basta group, known for extensive ransomware attacks, has previously extorted over $100 million from more than 500 organizations worldwide.

Read more: https://www.securityweek.com/ransomware-group-may-have-exploited-windows-vulnerability-as-zero-day/