It is being reported that Black Basta (aptly named) exploited a Microsoft zero-day prior to Microsoft’s release of a patch for the vulnerability back in March.

The vulnerability, CVE-2024-26169, was on Microsoft’s March update’s Patch Tuesday List. Unpatched, it allows the threat actor to escalate privileges. Symantec’s threat hunter team has discovered that Black Basta was able to gather information on the vulnerability prior to the patch and use it recently in attacks against victims. This means that even if an organization applied the patch, Black Basta may be able to exploit the vulnerability anyway.

It is essential for organizations to apply patches for vulnerabilities in a timely manner. Unfortunately, this research indicates that even if you do so, the threat actors may have already figured out how to exploit the vulnerability to use it against companies after the fact to render the vulnerability a zero-day again. Patch, patch, patch. There’s no way around it, and it is more important than ever. Patch this vulnerability to avoid Black Basta—trust me—they are a bunch of bastas.

[View source.]