www.darkreading.com Open in urlscan Pro
2606:4700::6810:deab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


 * Cyberattacks & Data Breaches
 * Threat Intelligence


500 VICTIMS IN, BLACK BASTA REINVENTS WITH NOVEL VISHING STRATEGY

Ransomware groups have always created problems for their victims that only they
could solve. Black Basta is taking that core idea in a creative, new direction.

Nate Nelson, Contributing Writer

May 13, 2024

4 Min Read
Source: ciaobucarest via Alamy Stock Photo


A new Black Basta campaign is annoying victims into submission with onslaughts
of spam emails and fake customer service representatives tricking them into
downloading malware.

The news comes against the backdrop of a fresh joint cybersecurity advisory from
the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of
Health and Human Services (HHS), and Multi-State Information Sharing and
Analysis Center (MS-ISAC), warning about Black Basta's prolific attacks against
critical infrastructure. The ransomware-as-a-service (RaaS) operation, the
government says, typically uses spearphishing and software vulnerabilities to
gain initial access into sensitive and high-value organizations.



But now, at least one prong of the Black Basta operation is taking a new
approach. Instead of such incisive, targeted breaches, researchers from Rapid7
observed it sending gobs of spam emails to victims, only to then call them
offering help. When victims accept the help, the intrusion commences.



Thus far, those victims have spanned industries such as manufacturing,
construction, food and beverage, and transportation, says Robert Knapp, senior
manager of incident response services at Rapid7, adding that, "given the array
of organizations impacted, these attacks appear to be more opportunistic than
targeted."


BLACK BASTA'S LATEST, MOST ANNOYING TRICK

Black Basta has compromised a wide range of organizations since it was first
discovered in April 2022, including a dozen of the 16 US-defined critical
infrastructure sectors. In total, affiliates have struck more than 500
organizations globally, most often in the US, Europe, and Australia.



Historically, the least interesting aspect of its modus operandi has been its
means of obtaining initial access into systems. As the joint alert mentioned,
spearphishing is its go-to, though, since February, affiliates have also been
doing the job by exploiting the 10.0 "critical"-rated ConnectWise ScreenConnect
bug CVE-2024-1709. The aforementioned veering from the script has been in place
since April, Rapid7 researchers said.



Attacks in the latest campaign begin with a wave of emails (enough to overwhelm
basic spam protections) to a group of victims in a targeted environment. Plenty
of the emails themselves are legitimate, consisting mostly of sign-up notices
for newsletters belonging to real, honest organizations.

With targets annoyed and confused, the attackers then start to make calls. One
by one they pose as members of the targets' IT staff, offering help with their
issue, in a variation of the classic tech-support scam. To do so, they say, the
victim needs to download a remote support tool, either the AnyDesk remote
monitoring and management (RMM) platform, or Windows' native Quick Assist
utility.

If a target does not abide, the attacker simply ends the call and moves on to
their next victim.

If the target does run AnyDesk or Quick Assist, the attacker instructs them on
how to hand over access to their computer. Once inside, the attacker runs a
series of batch scripts masked as software updates. The first of those scripts
confirms connectivity with the attacker's command-and-control (C2)
infrastructure, then downloads a ZIP archive housing OpenSSH, which enables the
execution of remote commands.

For its next annoying trick, the Black Basta script creates run key entries in
the Windows registry. These entries point to additional batch scripts, which
establish a reverse shell to be executed at run time. Thus an infinite loop is
created, where an attacker gets a shell to their command-and-control (C2) any
time the victim machine is restarted.




WHAT TO DO

Though researchers did observe the attackers harvesting some credentials,
notably, they did not spot any instance of mass data exfiltration or extortion.
Those steps may be yet to come.

Rapid7 recommended that organizations take stock of which RMM solutions they
use, and utilize "allowlisting" tools such as AppLocker or Microsoft Defender
Application Control to block any others they don't. For extra safety,
organizations can also block domains associated with such disallowed RMMs.

If all else fails, Knapp says, "Should an organization be unable to outright
block this activity, the recommended approach would be diligent monitoring and
response procedures. Organizations can monitor for the installation and
execution of AnyDesk, comparing that activity against their known methods of
software deployment which likely originates from expected deployment systems
from expected user accounts, and investigate any behavior that falls outside of
baselines."




ABOUT THE AUTHOR(S)

Nate Nelson, Contributing Writer



Nate Nelson is a freelance writer based in New York City. Formerly a reporter at
Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He
writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and
Spotify -- and hosts every other episode, featuring interviews with leading
voices in security. He also co-hosts "The Industrial Security Podcast," the most
popular show in its field.

See more from Nate Nelson, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Cyberattacks & Data Breaches

Inside Job: Cyber Exec Admits to Hospital Hacks
Cyberattacks & Data Breaches

MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks
Cyberattacks & Data Breaches

ChatGPT: OpenAI Attributes Regular Outages to DDoS Attacks
Cyberattacks & Data Breaches

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised
More Insights
Webinars

 * Is AI Identifying Threats to Your Network?
   
   May 14, 2024

 * Where and Why Threat Intelligence Makes Sense for Your Enterprise Security
   Strategy
   
   May 15, 2024

 * Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
   
   May 16, 2024

 * Why Effective Asset Management is Critical to Enterprise Cybersecurity
   
   May 21, 2024

 * Finding Your Way on the Path to Zero Trust
   
   May 22, 2024

More Webinars
Events

 * Black Hat USA - August 3-8 - Learn More
   
   August 3, 2024

 * Cybersecurity's Hottest New Technologies: What You Need To Know
   
   March 21, 2024

More Events



EDITOR'S CHOICE

Empty hospital hallway
Cyberattacks & Data Breaches
Ascension Healthcare Suffers Major CyberattackAscension Healthcare Suffers Major
Cyberattack
byNathan Eddy, Contributing Writer
May 10, 2024
3 Min Read

Carnival mask isolated on white background
Cyberattacks & Data Breaches
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus'The Mask' Espionage
Group Resurfaces After 10-Year Hiatus
byJai Vijayan, Contributing Writer
May 9, 2024
4 Min Read
Signage from RSAC conference
Cybersecurity Operations
Is CISA's Secure by Design Pledge Toothless?Is CISA's Secure by Design Pledge
Toothless?
byNate Nelson, Contributing Writer
May 10, 2024
4 Min Read

Hand holding a figurine up at the top of the career ladder.
Cybersecurity Careers
CISO as a CTO: When and Why It Makes SenseCISO as a CTO: When and Why It Makes
Sense
byEricka Chickowski, Contributing Writer
May 10, 2024
7 Min Read
Reports

 * Elastic named a Leader in The Forrester Wave™: Security Analytics Platforms,
   Q4 2022

 * 2023 Global Threat Report

 * EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity

 * Industrial Networks in the Age of Digitalization

 * Zero-Trust Adoption Driven by Data Protection

More Reports
White Papers

 * Generative AI Gifts

 * SecOps Checklist

 * A Short Primer on Container Scanning

 * The Cloud Threat Landscape: Security learnings from analyzing 500+ cloud
   environments

 * The State of Incident Response

More Whitepapers
Events

 * Black Hat USA - August 3-8 - Learn More
   
   August 3, 2024

 * Cybersecurity's Hottest New Technologies: What You Need To Know
   
   March 21, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use