Alert essentials:
Symantec researchers found evidence that, since December 18, 2023, the Black Basta group has used an Elevation of Privilege weakness to gain remote access with admin privileges. Patches are available, apply immediately.
Detailed threat description:
Although Microsoft’s report on CVE-2024-26169 indicates this flaw is less likely to be exploited and has no known malicious exploits, Symantec researchers have discovered two versions of a tool they suspect has been using this Elevation of Privilege flaw to open shell interfaces with administrative access.
This vulnerability is within the Windows Error Reporting Service, allowing privilege escalation to the system level. The observed tactics, techniques, and procedures of attacks suggest recently captured activities are failed efforts by Black Basta.
The flaw was patched in March 2024, and research suggests Black Basta possibly used it for Ransomware-as-a-service attacks when it was a zero-day. Black Basta’s reach is global, targeting over 500 organizations in the United States, Canada, Japan, The United Kingdom, Australia, and New Zealand.
Black Basta is poised to remain a significant ransomware threat, driven by their ability to adapt and innovate. The Threat Hunter Team at Symantec suspects other black hat teams may also be experimenting with this vulnerability.
Deploy patches as soon as possible.
Impacts on healthcare organizations:
Healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks. Organizations can take several multilayered actions to minimize their exposure to and the potential impact of a ransomware attack.
While there is no specific set of recommendations to hinder Black Basta’s custom capabilities, the HHS Threat Profile of Black Basta presents a sample of mitigations, countermeasures, indicators of compromise, and other courses of action.
Affected products / versions:
- Microsoft Windows Error Reporting Service
CVEs
- CVE-2024-26169
Recommendations
Engineering recommendations:
- Apply security patches in the environment as they become available
- Maintain offline, encrypted backups of critical data
- Conduct regular vulnerability scanning to identify and address vulnerabilities
- Change default admin usernames and passwords
- Do not use root access accounts for day-to-day operations
- Ensure all on-premises, cloud services, mobile, and personal (i.e., bring your own device [BYOD]) devices are properly configured and security features are enabled
Leadership / program recommendations:
- Create, maintain, and regularly exercise a basic cyber incident response plan (IRP) and associated communications plan that includes response and notification procedures for ransomware and data extortion/breach incidents
- Ensure that data breach notification procedures adhere to applicable state laws
- Implement phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems
- Consider implementing an intrusion detection system (IDS)
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CISA and FBI advisory on Black Basta: https://www.cisa.gov/news-events/alerts/2024/05/10/cisa-and-partners-release-advisory-black-basta-ransomware
- CISA Ransomware guide: https://www.cisa.gov/stopransomware/ransomware-guide
- HHS Black Basta profile: https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
- Microsoft patches: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26169
- Security Breach Notification Laws: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
- Symantec Report with IoCs: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
