The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that a Microsoft Windows privilege escalation vulnerability has seen exploitation in attacks.
The vulnerability (tracked at CVE-2024-26169) this week was tied to attacks by the Black Basta ransomware gang by researchers at Symantec.
[Related: Black Basta Ransomware Attack Brought Down Ascension IT Systems: Report]
The Windows Error Reporting Service Improper Privilege Management Vulnerability was disclosed and fixed by Microsoft in mid-March.
CISA added the bug to its catalog of vulnerabilities known to have seen exploitation in the wild Thursday. CRN has reached out to Microsoft for comment.
ADVERTISEMENT
“Analysis of an exploit tool deployed in recent attacks revealed evidence that [the vulnerability] could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day,” Symantec researchers wrote in a postWednesday.
The exploit tool “was deployed in a recent attempted ransomware attack investigated by Symantec’s Threat Hunter Team,” the researchers said. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity. Although no payload was deployed, the similarities in TTPs makes it highly likely it was a failed Black Basta attack.”
CISA also added a Google Pixel privilege escalation vulnerability that was disclosed this week (tracked at CVE-2024-32896) to its catalog, as well as a Progress Telerik vulnerability (tracked at CVE-2024-4358).
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in its advisory.
CISA has set a due date of July 4 for Federal Civilian Executive Branch agencies to implement fixes for the issues.