www.darkreading.com
Open in
urlscan Pro
2606:4700::6810:deab
Public Scan
URL:
https://www.darkreading.com/cyberattacks-data-breaches/500-victims-later-black-basta-reinvents-novel-vishing-strategy
Submission: On May 14 via api from TR — Scanned from DE
Submission: On May 14 via api from TR — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Dark Reading is part of the Informa Tech Division of Informa PLC Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726. Black Hat NewsOmdia Cybersecurity Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics RELATED TOPICS * Application Security * Cybersecurity Careers * Cloud Security * Cyber Risk * Cyberattacks & Data Breaches * Cybersecurity Analytics * Cybersecurity Operations * Data Privacy * Endpoint Security * ICS/OT Security * Identity & Access Mgmt Security * Insider Threats * IoT * Mobile Security * Perimeter * Physical Security * Remote Workforce * Threat Intelligence * Vulnerabilities & Threats World RELATED TOPICS * DR Global * Middle East & Africa See All The Edge DR Technology Events RELATED TOPICS * Upcoming Events * Webinars SEE ALL Resources RELATED TOPICS * Library * Newsletters * Reports * Videos * Webinars * Whitepapers * * * * * Partner Perspectives: * > Microsoft SEE ALL * Cyberattacks & Data Breaches * Threat Intelligence 500 VICTIMS IN, BLACK BASTA REINVENTS WITH NOVEL VISHING STRATEGY Ransomware groups have always created problems for their victims that only they could solve. Black Basta is taking that core idea in a creative, new direction. Nate Nelson, Contributing Writer May 13, 2024 4 Min Read Source: ciaobucarest via Alamy Stock Photo A new Black Basta campaign is annoying victims into submission with onslaughts of spam emails and fake customer service representatives tricking them into downloading malware. The news comes against the backdrop of a fresh joint cybersecurity advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC), warning about Black Basta's prolific attacks against critical infrastructure. The ransomware-as-a-service (RaaS) operation, the government says, typically uses spearphishing and software vulnerabilities to gain initial access into sensitive and high-value organizations. But now, at least one prong of the Black Basta operation is taking a new approach. Instead of such incisive, targeted breaches, researchers from Rapid7 observed it sending gobs of spam emails to victims, only to then call them offering help. When victims accept the help, the intrusion commences. Thus far, those victims have spanned industries such as manufacturing, construction, food and beverage, and transportation, says Robert Knapp, senior manager of incident response services at Rapid7, adding that, "given the array of organizations impacted, these attacks appear to be more opportunistic than targeted." BLACK BASTA'S LATEST, MOST ANNOYING TRICK Black Basta has compromised a wide range of organizations since it was first discovered in April 2022, including a dozen of the 16 US-defined critical infrastructure sectors. In total, affiliates have struck more than 500 organizations globally, most often in the US, Europe, and Australia. Historically, the least interesting aspect of its modus operandi has been its means of obtaining initial access into systems. As the joint alert mentioned, spearphishing is its go-to, though, since February, affiliates have also been doing the job by exploiting the 10.0 "critical"-rated ConnectWise ScreenConnect bug CVE-2024-1709. The aforementioned veering from the script has been in place since April, Rapid7 researchers said. Attacks in the latest campaign begin with a wave of emails (enough to overwhelm basic spam protections) to a group of victims in a targeted environment. Plenty of the emails themselves are legitimate, consisting mostly of sign-up notices for newsletters belonging to real, honest organizations. With targets annoyed and confused, the attackers then start to make calls. One by one they pose as members of the targets' IT staff, offering help with their issue, in a variation of the classic tech-support scam. To do so, they say, the victim needs to download a remote support tool, either the AnyDesk remote monitoring and management (RMM) platform, or Windows' native Quick Assist utility. If a target does not abide, the attacker simply ends the call and moves on to their next victim. If the target does run AnyDesk or Quick Assist, the attacker instructs them on how to hand over access to their computer. Once inside, the attacker runs a series of batch scripts masked as software updates. The first of those scripts confirms connectivity with the attacker's command-and-control (C2) infrastructure, then downloads a ZIP archive housing OpenSSH, which enables the execution of remote commands. For its next annoying trick, the Black Basta script creates run key entries in the Windows registry. These entries point to additional batch scripts, which establish a reverse shell to be executed at run time. Thus an infinite loop is created, where an attacker gets a shell to their command-and-control (C2) any time the victim machine is restarted. WHAT TO DO Though researchers did observe the attackers harvesting some credentials, notably, they did not spot any instance of mass data exfiltration or extortion. Those steps may be yet to come. Rapid7 recommended that organizations take stock of which RMM solutions they use, and utilize "allowlisting" tools such as AppLocker or Microsoft Defender Application Control to block any others they don't. For extra safety, organizations can also block domains associated with such disallowed RMMs. If all else fails, Knapp says, "Should an organization be unable to outright block this activity, the recommended approach would be diligent monitoring and response procedures. Organizations can monitor for the installation and execution of AnyDesk, comparing that activity against their known methods of software deployment which likely originates from expected deployment systems from expected user accounts, and investigate any behavior that falls outside of baselines." ABOUT THE AUTHOR(S) Nate Nelson, Contributing Writer Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field. See more from Nate Nelson, Contributing Writer Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe You May Also Like -------------------------------------------------------------------------------- Cyberattacks & Data Breaches Inside Job: Cyber Exec Admits to Hospital Hacks Cyberattacks & Data Breaches MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks Cyberattacks & Data Breaches ChatGPT: OpenAI Attributes Regular Outages to DDoS Attacks Cyberattacks & Data Breaches Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised More Insights Webinars * Is AI Identifying Threats to Your Network? May 14, 2024 * Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy May 15, 2024 * Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks May 16, 2024 * Why Effective Asset Management is Critical to Enterprise Cybersecurity May 21, 2024 * Finding Your Way on the Path to Zero Trust May 22, 2024 More Webinars Events * Black Hat USA - August 3-8 - Learn More August 3, 2024 * Cybersecurity's Hottest New Technologies: What You Need To Know March 21, 2024 More Events EDITOR'S CHOICE Empty hospital hallway Cyberattacks & Data Breaches Ascension Healthcare Suffers Major CyberattackAscension Healthcare Suffers Major Cyberattack byNathan Eddy, Contributing Writer May 10, 2024 3 Min Read Carnival mask isolated on white background Cyberattacks & Data Breaches 'The Mask' Espionage Group Resurfaces After 10-Year Hiatus'The Mask' Espionage Group Resurfaces After 10-Year Hiatus byJai Vijayan, Contributing Writer May 9, 2024 4 Min Read Signage from RSAC conference Cybersecurity Operations Is CISA's Secure by Design Pledge Toothless?Is CISA's Secure by Design Pledge Toothless? byNate Nelson, Contributing Writer May 10, 2024 4 Min Read Hand holding a figurine up at the top of the career ladder. Cybersecurity Careers CISO as a CTO: When and Why It Makes SenseCISO as a CTO: When and Why It Makes Sense byEricka Chickowski, Contributing Writer May 10, 2024 7 Min Read Reports * Elastic named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022 * 2023 Global Threat Report * EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity * Industrial Networks in the Age of Digitalization * Zero-Trust Adoption Driven by Data Protection More Reports White Papers * Generative AI Gifts * SecOps Checklist * A Short Primer on Container Scanning * The Cloud Threat Landscape: Security learnings from analyzing 500+ cloud environments * The State of Incident Response More Whitepapers Events * Black Hat USA - August 3-8 - Learn More August 3, 2024 * Cybersecurity's Hottest New Technologies: What You Need To Know March 21, 2024 More Events DISCOVER MORE WITH INFORMA TECH Black HatOmdia WORKING WITH US About UsAdvertiseReprints JOIN US Newsletter Sign-Up FOLLOW US Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. Home|Cookie Policy|Privacy|Terms of Use