It’s possible that the gang responsible for the Black Basta ransomware was taking advantage of a zero-day Windows privilege escalation vulnerability that was just patched.
Symantec’s threat research indicates that an attacker may be able to escalate their privileges on compromised systems if CVE-2024-26169 is leveraged.
While the vulnerability was corrected on March 12, there is still a chance that at least one organization was using the vulnerability as a zero-day. This is because the investigation of an exploit tool used in recent attacks showed indications that an exploit might have been created before patching.
The exploit kit was found to have been used in a recent ransomware effort that Symantec’s Threat Hunter Team is looking into.
While the ransomware payload was not successfully deployed in this attack, the tactics, methods, and procedures (TTPs) employed by the attackers bore a striking resemblance to the information provided in a previous Microsoft report that detailed Black Basta activity.