CISA Alert: Windows Vulnerability Exploited in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a significant Windows vulnerability, identified as CVE-2024-26169, that is being actively exploited in ransomware attacks.

This flaw, now classified as a zero-day, involves improper privilege management in the Windows Error Reporting service, allowing local attackers to gain SYSTEM permissions through straightforward, low-complexity attacks that do not require user interaction.

Microsoft addressed this vulnerability in their Patch Tuesday updates, but has yet to update its advisory to reflect the vulnerability’s exploitation in active attacks.

According to a recent report, the Black Basta ransomware group, also known as the Cardinal cybercrime group (UNC4394/Storm-1811), is likely exploiting this flaw. The evidence includes two variants of the exploit tool with compilation timestamps from February 27, 2024, and December 18, 2023, respectively.

Federal Civilian Executive Branch Agencies (FCEB) are mandated to secure their systems against vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog, as per the November 2021 binding operational directive (BOD 22-01). CISA has given these agencies a deadline of July 4 to patch CVE-2024-26169 to prevent ransomware attacks.

CISA also strongly urges all organizations to prioritize fixing this flaw, highlighting the significant risks posed by such vulnerabilities, which are frequent targets for malicious cyber actors.

Black Basta, a Ransomware-as-a-Service (RaaS) operation that surfaced in April 2022 after the Conti gang splintered, has targeted numerous high-profile entities, including Rheinmetall, Capita, the Toronto Public Library, the American Dental Association, ABB, Hyundai Europe, Yellow Pages Canada, and Ascension.

By May 2024, CISA and the FBI reported that Black Basta affiliates had compromised over 500 organizations, impacting at least 12 U.S. critical infrastructure sectors. Research indicates that Black Basta has collected at least $100 million in ransom payments from over 90 victims as of November 2023.

To safeguard against the CVE-2024-26169 vulnerability, organizations should promptly apply the security patches released by Microsoft on March 12, 2024. Regularly updating software, using multi-factor authentication, and restricting the use of administrator accounts can mitigate the risk of exploitation.

Additionally, implementing advanced threat detection systems and conducting regular security audits will help identify and address potential vulnerabilities before they can be exploited by cybercriminals.