CISA Alerts on Windows Vulnerability Used in Ransomware Attacks

June 14, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical Windows vulnerability that has been exploited in ransomware attacks. The flaw, tracked as CVE-2024-26169, is related to an improper privilege management issue in the Windows Error Reporting service. This flaw allows local attackers to gain SYSTEM permissions in low-complexity attacks that do not require user interaction. Microsoft addressed this vulnerability on March 12, 2024, during its monthly Patch Tuesday updates, but the company has not updated its security advisory to mark the vulnerability as exploited in attacks.

Symantec security researchers found evidence suggesting that the Black Basta ransomware gang, also known as the Cardinal cybercrime group, UNC4394, and Storm-1811, might have been exploiting the flaw. The researchers found that one variant of the CVE-2024-26169 exploit tool used in these attacks had a February 27 compilation timestamp, while a second sample was built earlier, on December 18, 2023. Although timestamps can easily be modified, the researchers believe it is unlikely in this case, indicating that the ransomware group had a working exploit between 14 and 85 days before Microsoft released security updates to patch the flaw.

Federal Civilian Executive Branch Agencies (FCEB) are required to secure their systems against all vulnerabilities listed in CISA's catalog of Known Exploited Vulnerabilities, as per a November 2021 binding operational directive (BOD 22-01). CISA has given FCEB agencies until July 4 to patch the CVE-2024-26169 vulnerability and prevent ransomware attacks that could target their networks. While this directive only applies to federal agencies, CISA also strongly recommends all organizations to prioritize fixing the flaw, warning that 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.'

The Black Basta gang emerged as a Ransomware-as-a-Service (RaaS) operation in April 2022, after the Conti cybercrime gang split into multiple factions following a series of data breaches. The gang has since breached many high-profile victims, including Rheinmetall, Capita, the Toronto Public Library, the American Dental Association, ABB, Hyundai's European division, Yellow Pages Canada, and Ascension. CISA and the FBI have revealed that Black Basta ransomware affiliates have attacked over 500 organizations until May 2024, encrypting systems and stealing data from at least 12 U.S. critical infrastructure sectors. According to Corvus Insurance and cybersecurity company Elliptic, Black Basta has collected at least $100 million in ransom payments from over 90 victims until November 2023.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.