Summary:
Black Basta is a ransomware-as-a-service (RaaS) operation that has been active since April 2022. To date, the ransomware gang has been attributed to over 500 attacks targeting organizations across the world. Just this year, the group claimed responsibility for attacks against a couple of notable victims including Veolia North America, Hyundai Motor Europe, and Keytronic. While Black Basta has commonly relied on and still uses publicly available tools, researchers at Mandiant have highlighted a shift to custom malware, which has aided in the group launching successful campaigns. Earlier this year, Black Basta was observed deploying a custom memory-only dropper named DawnCry to initiate a multi-stage infection chain. The deployment of DawnCry was followed by the execution of a shellcode, dubbed DaveShell, designed to drop the final payload, which in this case was PortYard. PortYard is a custom tunneler, capable of creating a covert communication channel to Black Basta’s command and control infrastructure. This channel can be used to stealthy exfiltrate sensitive data and establish remote control over compromised systems without being detected by security tools. DawnCry, DaveShell, and PortYard are not the only custom tools that Black Basta has created. Other tools developed by the ransomware gang include:

• CogScan: A .NET reconnaissance tool used to gather a list of hosts available on the network and collect system information.
• SystemBC: A tunneler that retrieves proxy-related commands from a C2 server using a custom binary protocol over TCP.
• KnockTrock: A .NET-based utility that creates symbolic links on network shares and executes the BASTA ransomware executable, providing it with the path to the newly created symbolic link.
• KnowTrap: A memory-only dropper written in C/C++ that can execute an additional payload in memory.

Security Officer Comments:
The deployment of custom tools has aided in Black Basta operations, allowing the actors to execute their attacks more effectively while staying under the radar from end-point security solutions and researchers. Besides the use of custom binaries, operators of Black Basta continue to maintain connections with other cybercriminal groups including Storm-0506, which was recently reported by Microsoft exploiting an authentication bypass vulnerability (CVE-2024-37085) to deploy Black Basta ransomware on the ESXi hypervisors of a North American engineering firm. As RaaS operation, it is not uncommon for operators of Black Basta to hire affiliates like Storm-0506 to gain initial access to victim environments and deploy the encryptor on its behalf for a small payout. With such a system in place, Black Basta is able to expand its operations and target more victims with little to no effort.

Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com/ne...ware-switches-to-more-evasive-custom-malware/

https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight/