Black Basta leaks show targeting, planning, escalation

Black Basta carried out extensive investigations and divided a lot of interest, while attempts to achieve steps to achieve the goal, including the social engineering attempts, said Milivoj Rajić, head of threatening information at Dynarisk. “They often aim at several people within a single organization,” he told the information security media group.

The body of Russian-speaking news was leaked by the “Exploithispers” telegram user on February 11th, who claimed that the garbage Cop was for the Ransomware group, which was aimed at Russian banks, in Repressal. Several security researchers said the chats seem to be legitimate, based on their correlation with known events and facts. The group seems close to the collapse (see: Ransomware: Blacklock Rises, “Tired” Black Basta sinks).

The leaks show that the group is actively testing networks with data that has been harvested using information theft of malware, said Rajić. Infostalers expect batched data that are called a protocol and the normally passwords, multifactor authentication -token contains to support attackers in the circumvention of multifactor authentication and stored browser.

“They focus strongly on the use of VPN weak spots. You are actively looking for people who can actively provide this type of heroicism,” he said. Such efforts in Black Basta were led by an employee who “only” used the handle, the leaked chat protocol.

Top goals didn't seem to be by chance. Black Basta prioritized financial services companies, providers of industrial materials for production and electrical companies. In contrast to some ransomware groups that pursue channery goals, Black Basta seemed to concentrate on more specific sectors.

The LECKS also underline the accelerated existence for ransomware group, which often reads “more like threats” as a threat intelligence, in the words of a security engineer who studied the leak (see: Pulled black Basta chat protocols show the banality of ransomware).

Members – no surprise – themselves were not saints at the workplace. While some discussed the ethics of unleashing crypto blocking errors, “one of the hackers was lied about by his boss about his work results.” -Solter and CTO from Hudson Rock. His company used the leaks to train an instance of Chatgpt and made this Blackbastagpt -Tool freely available.

Based on the work of researchers such as Rajić and Thomas Roccia and Blackbastagpt, the leaks show how members of Black Basta have used a variety of open source intelligence to lead their efforts. This included the commercial search engines -Zoominfo as well as the LinkedIn and People search page ROCKETREACH to identify the annual profits and employees of a potential victim, on which they were often carried out via fake download links, social engineering or phishing -e emails.

For many of the goals examined by Black Basta, the group also had remote access login information, which indicates that the group used zoom information and other tools to prioritize which organizations first try to meet first.

A frequent strategy was to make the victims, to install the remote management and monitoring of software from Level.io, sometimes disguised as an anti-spam tool or after the violation of the network, sometimes via PowerShell, at least loud To install Blackbastagpt.

The group documented the test results from an investigation of network security and the recorded Internet devices and their weaknesses, including the presence of services such as the remote desktop protocol. For this purpose, the group searched for internet-linked devices within organizations that use a variety of tactics, including the Internet of Things search engine Shodan and Censys as well as on common search engines to search for known signs of safety. Dorking.

A list of “Dorks”, which was distributed under Black Basta members, contains a search for a search for a Linux security susceptibility, which has resulted in a certain susceptible organization that reports that they “stem, administrator or system” – Gifts level authorizations.

Black Basta -Hacker doubled with everything that could work. In the leaks, 29 specific weak points are mentioned, which are pursued by their CVE designation – from 2017 to 2024, of which 13 rates rated as critical, which means that they can be used from afar to use an arbitrary code on an endangered To carry out the system, said Rajić.

The oldest referenced vulnerability -evaluates -War CVE -2017-11882, a memory corruption error in Microsoft Office 2016, and attackers can previously exploit to carry out arbitrary code.

Other CVES mentioned by the group included weaknesses in Apache-Log4j, F5 BIG-IP devices, confluence server and weak point with data centers, GITLAB, Juniper devices, Microsoft Exchange Server, Microsoft Outlook, Netlogon-Remote protocol (MS-NRPC) , Spring framework and Zyxel -Firewalls, among other things.

Rajić said that the centuries -old instructions to maintain a large number of multi -layered defenses continue to apply. This includes training to avoid non -trusted software and links from suspicious sources. If you keep the entire software up to date at the organizational level, monitor attempts at attack using Intrusion Prevention Systems, give users the slightest degree of access authorizations and scan proceeds for weaknesses before attacking. The two-factor authentication also seems to have dulled the attacks by Black Basta-at least to bring them to a more high-ranking method such as social engineering.

Although this advice sounds simple, in too many cases it simply does not seem to be done by sacrificial organizations. If the attacks of Ransomware groups stop, they do not make their work easier for you.