Symantec researchers have linked the notorious Cardinal cybercrime group, operators of the Black Basta ransomware, to the exploitation of the recently patched Windows vulnerability, CVE-2024-26169. This bug, found in the Windows Error Reporting Service, allows attackers to escalate their privileges, posing a severe threat to cybersecurity.
Though Microsoft patched this vulnerability on March 12, they initially found no evidence of its exploitation. However, Symantec’s analysis suggests that at least one group exploited this bug as a zero-day, using an exploit tool compiled before the patch’s release. This tool surfaced in a recent failed ransomware attack, bearing striking similarities to Black Basta’s known tactics.
The urgency of this discovery is underscored by Black Basta’s increasing threat profile. The FBI and other federal agencies recently alerted healthcare and critical infrastructure sectors to the gang’s activities. Notably, Black Basta was behind the attack on the Ascension health system, CNN reported in May.
Ken Dunham, cyber threat director at Qualys, highlights the group’s aggressive strategies, such as publishing sensitive data to pressure victims. This, coupled with their top 10 global threat status, underscores the need for immediate patching of CVE-2024-26169.
Despite the patch’s availability, Dustin Sachs of CyberRisk Alliance notes that its CVSS score of 7.8 may have led to delayed implementation by overwhelmed security teams. Callie Guenther from Critical Start emphasizes that this incident illustrates the critical need for timely patch management and robust threat intelligence.
The activities of Black Basta regarding the exploitation of CVE-2024-26169 has presented that cybersecurity threats are not stagnant, and to remain secure from such threats, the organization has to be vigilant and ready to counter such menaces.
