Inside Black Basta Ransomware Group of the Chat leaks of the group

Internal conflicts within the notorious Black Basta Ransomware group have led to a massive leak of the group's internal chat messages. While the messages are disorganized and full of internal jargon, they contain a wealth of insights into the group's operations and techniques. This type of disclosure can be a gold mine for security experts, since it can show exactly how attackers think and what details of the execution of their attacks.

As a result, we were more than striving to be able to dive into about 200,000 messages to see what we could learn. And from the beginning it was clear that Black Basta had a very strong interest in how to compromise and co-opt the network and security infrastructure of a company. This should not be a surprise, since such techniques have been a license plate for many of the best ransomware groups for years. However, the chats revealed a wealth of new details, including references to well -known and unknown weaknesses that affect the top networking and security providers in the industry, including Palo Alto Networks, Cisco, Fortinet, Citrix and F5.

Take a look at our episode of the Surface Podcast episode, in which the Black Basta -Chat leaks and what they mean for security teams.

Key results

Our analysis began with the basics of searching for references to well -known CVES, URLs as well as providers names and their associated device models. It was immediately clear that Black Basta was very opportunistic in her attacks and was not only limited to a handful of CVES or devices or tactics. A total of 62 specific CVes were referred to the news.

However, a deeper trench showed that the CVVE was only the tip of the iceberg, since the black Basta operators routinely use to use certain devices instead of CVES. For example, while the data did not contain any CVES specifics, the internal chats showed that the group tested exploits against HP, brother and others.

As a result, it was important to go beyond extracting CVES and instead dealing with the actual conversations in order to understand what these bad actors are doing. This resulted in indications of many of the leading providers of network and security infrastructures in the industry. This included references to several techniques with which the team devices, including:

• Exploitation of well -known vulnerabilities
• Acquire access to 0-day weak spots
• Fill user and root login information from victims from previous attacks on login information

Suspicious 0-day weak spots

Of course, indications of 0 days are of particular interest. The news contained references to the purchase of 0-day weaknesses for juniper, Windows, Ivanti Pulse Secure, Sonic Panel, Wildix and Unified remote control. For Juniper, they contained the test runs on a publicly oriented device that continues to complicate the analysis of their news.

Registration information

The group also exchanged joint login information for target devices and infrastructures that were exposed to in previous violations. This included user registration information such as login information for VPN access and root login information from devices. The attackers were then able to use these login information in login information in order to try to get access to a goal.

In addition, the group also shared passwords for several publicly accessible RDP devices on port 3389. The actors also referred databases and other services that are attacking with brutal violence.

Network and security infrastructure

All of these techniques were used when it came to attacking a company's network and security infrastructure. How many ransomware gangs showed Black Basta a special interest in the VPN infrastructure, including Palo Alto networks, Cisco, Pulse Secure and others. These devices have proven to be useful for attackers as an initial infection vector as well as as a method of resistance and spread in an environment.

Talks showed that the group was also opportunistic when it came to aiming network devices. In addition to focusing on large corporate devices such as firewalls and load balancers, the group discussed that they dig deeper into the network and use the data traffic between the goals on a compromised router.

Some of the remarkable providers mentioned in the talks include:

• Palo Alto Networks Global Protection – Registration, exploit, malware
• Cisco SSL VPN – Registration
• Fortinet devices – Registration
• Puls Secure VPN -0-day vulnerability
• Watch guard
• Android Ipfire
• juniper -0-day vulnerability
• Trendmicro
• F5 Big IP
• Citrix (Netscaler & maybe others) – Landlife

Other tools and techniques

Black Basta uses extensively tools such as Shodan and Zoomeye to hunt their goals. The chats include over 100 unique Shodan Dorks (queries) used by the group to find specific resources that could be susceptible to use.

In addition, the team cobalt strike seems to like (and apparently has several active proxies for it). There are news in which links to abuse are mentioned and you look at rats and other malware. For example, mention that you analyze these malware for Palo Alto and search for Exploit code.

Take-aways in the use of vulnerability

While Black Basta takes on targets with publicly known vulnerabilities, there are some important points to consider:

• You buy (or at least discuss the purchase) 0 days for various devices and systems when you see something interesting. We saw at least 6 different destinations for which this has happened, including SSL VPN devices.
• Very often they discuss weaknesses without actually mentioning a certain CVE, so that the scope of their exploitation goes far beyond the 62 CVES mentioned, which we see in the chat protocols.
• The group is extremely opportunistic and ready to scan a network completely in order to hunt persistence and data in it.
• In addition, you are willing to start more advanced attacks compared to the use of a CVE. This includes techniques such as ARP poisoning, traffic catches, Active Directory attacks, login information, etc.
• They actually develop their own heroic deeds for CVES and schools about the use of complex heroic deeds.

It is therefore impossible to put group activity only for a certain set of CVES where you simply stop. We have to assume that Black Basta exceeds techniques about the specific CVes that you mention.

Nevertheless, Eclypsium is able to prove numerous of the highest risks referred to in the black Basta chat leaks, including CVE-2022-1388, CVE-2023-3466, CVE-2023-3519, CVE-2023-36845 and many others. Here a sample of these recognitions is shown in the Eclypsium platform.

Diploma

This is one of these very rare occasions in which a data leak for security practitioners is actually good. Cybersecurity Intelligence can often try to put together a very large puzzle with just a few parts. Many attacks fly under the radar, technical details are often never shared, and the exploits and techniques can vary from goal to goal. A leak like this shows us all the different pieces of the puzzle in one place so that we can see the large picture of an extremely successful ransomware operator player.

However, it is up to us as a defender to use these findings. From these chats we can see that ransomware gangs with known and unknown exploits as well as login information that are based on attacks continue to target networking and security infrastructure. This means that organizations remain demanding when it comes to patching these critical assets. But it is also a strong memory that even patched devices can be impaired over 0-day weak spots or exposed login information. This means that security teams must be able to check the integrity of these devices and to actively monitor them to unexpected changes that could indicate a compromise of the device.

Additional resources

The post in the Chat Lob of Black Basta Ransomware Group first appeared on Eclypsium | Safety supply chain for modern companies.

*** This is a safety blogger -system -syndicated blog from Eclypsium | The safety of the supply chain for the modern company written by Chris Garland. Read the original post at: