BLACKBASTA
BLACKBASTA primarily targets organizations within the technology sector and critical infrastructure, leveraging vulnerabilities in widely used products such as ConnectWise ScreenConnect and VMware ESXi to gain initial footholds. The group's typical attack vector involves spear-phishing emails containing malicious attachments, which they use to deploy tools like Cobalt Strike for lateral movement and privilege escalation. Once inside a network, BLACKBASTA employs double extortion tactics by exfiltrating sensitive data before encrypting it with custom ransomware, often leaving behind backdoors for future access. This group stands out due to its sophisticated use of legitimate administrative tools and its ability to manipulate domain policies effectively.
BLACKBASTA's technical footprint is characterized by a preference for exploiting critical vulnerabilities in server-side components like Windows Active Directory and remote management services. Their exploitation of CVE-2024-1709, which scores a CVSS 10.0, highlights their focus on high-severity vulnerabilities that can lead to full system control. The group's use of Mimikatz for credential harvesting and Metasploit for exploiting service execution demonstrates a high level of technical sophistication. Defenders should prioritize patch management, especially for critical CVEs like those affecting Windows NetLogon and Print Spooler services, as well as implementing robust phishing awareness training to mitigate the risk of initial compromise through spear-phishing attacks.
CISA Intelligence #StopRansomware
#StopRansomware: Black Basta · 2024-11-08
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.
Confirmed CVEs (7)
Exploited by this group as confirmed by threat intelligence sources.
Predicted CVEs (93) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.