Black Basta ransomware gangs exploit patched Windows bug to launch zero-day attacks
The Cardinal Cybercrime Group (also known as UNC4393 or Storm-1811), an affiliate of the infamous Black Basta gang, exploited a recently patched Windows vulnerability to deploy the encryptor, while the flaw was still a zero-day.
a report from cybersecurity researchers Symantec is changing what was known about the vulnerability, as Cardinal exploited an elevation of privilege vulnerability found in the Windows Error Reporting Service.
The flaw, tracked as CVE-2024-26169, has not yet been assigned a severity rating, but we do know it was patched in mid-March 2024.
Black Basta
When Microsoft first released the solution, Symantec recalls, it said there was no evidence of in-the-wild exploitation. However, after analyzing a tool used in a recent attack, security professionals concluded that it had likely been compiled previously. That means at least one cybercriminal group exploited the vulnerability while it was still a zero-day (before a patch was available).
Symantec did not say who was the target of this attack, but did say it was unsuccessful. It was also said that by looking at the tactics, techniques and procedures (TTP) of the attack, Cardinal was most likely attempting to deploy the Black Basta ransomware variant.
This ransomware variant was created in April 2022 and has since grown into one of the largest and most dangerous Ransomware-as-a-service (RaaS) operations in existence.
Last month, a report by the FBI, CISA, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) stated that Black Basta, through its affiliates, targets more than 500 organizations worldwide. has brought danger. .
The victims include organizations in twelve of the sixteen critical infrastructure sectors, including healthcare and public health. Black Basta victims include Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, Dish and many, many others.
Black Basta most likely emerged after the demise of Conti, another major ransomware player until the beginning of the Russian invasion of Ukraine.