A recent leak of 200,000 internal chat messages from the Black Basta ransomware group has shed light on how modern cybercriminals organize themselves to target victims and execute their attacks with a variety of techniques. The leaked messages, which were shared on Telegram by a user known as “ExploitWhispers,” offer insights into the group’s operational tactics and strategies.
According to Milivoj Rajić, head of threat intelligence at DynaRisk, Black Basta conducts thorough research on potential targets and utilizes social engineering techniques to breach organizations. The group often targets multiple individuals within a single organization and prioritizes sectors such as financial services, industrial suppliers, and electrical firms.
The leaked messages also reveal that Black Basta actively tests networks using information-stealing malware to gather sensitive data, including passwords and authentication tokens that can be used to bypass security measures. The group focuses on exploiting vulnerabilities in VPNs and actively seeks out exploits from individuals who can provide them.
One notable aspect of Black Basta’s operations is their use of open-source intelligence to guide their attacks. The group leverages tools like ZoomInfo, LinkedIn, and RocketReach to identify potential victims and gather information about their organizations. They often use fake download links, social engineering, or phishing emails to target individuals within the organization.
Additionally, the leaked messages show that Black Basta members actively search for organizations with remote access credentials, indicating that they prioritize targets based on their potential for exploitation. The group also conducts extensive vulnerability assessments, including probing network security, identifying internet-facing devices, and exploiting known vulnerabilities using tools like Shodan and Censys.
One of the key strategies employed by Black Basta is to exploit specific vulnerabilities that allow them to run arbitrary code on vulnerable systems. The group references a number of critical and important vulnerabilities, including CVE-2017-11882, a memory corruption flaw in Microsoft Office, as well as vulnerabilities in Apache, F5 BIG-IP devices, Confluence servers, GitLab, and others.
In response to these threats, cybersecurity experts like Rajić emphasize the importance of maintaining layered defenses, keeping software up to date, and training users to recognize and avoid potential security risks. Implementing two-factor authentication and conducting regular vulnerability scans can help organizations mitigate the risk of ransomware attacks.
As ransomware groups like Black Basta continue to evolve and expand their operations, it is crucial for organizations to stay vigilant and proactively protect their networks and data. By implementing strong cybersecurity measures and staying informed about the latest threats, businesses can reduce their susceptibility to cyber attacks and safeguard their valuable assets.