Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
Black Basta Ransomware: A New Social Engineering Threat
The Black Basta ransomware group has recently launched an aggressive social engineering campaign targeting businesses. Originating from the remnants of the disbanded Conti group, Black Basta has rapidly established itself as a formidable ransomware-as-a-service (RaaS) operation. This new campaign is a sophisticated blend of phishing and vishing (voice phishing) tactics aimed at exploiting human vulnerabilities to gain unauthorised access to organisations networks.
The Attack Strategy
The campaign begins with a mass email spamming, where the targeted user’s email is inundated with thousands of spam emails. These emails often come from legitimate newsletter sign-ups, overwhelming the user’s email protection systems, and causing significant disruption.
Once the user is overwhelmed, the threat actor impersonates IT support staff, contacting the user via phone. The attacker offers to help resolve the spam issue and persuades the user to download a remote monitoring and management (RMM) tool such as AnyDesk or utilise the built-in Windows Quick Assist feature. This social engineering tactic leverages the user’s need for immediate help, making it easier for the attacker to gain remote access to the user’s system.
Technical Breakdown
Upon gaining remote access, the attacker executes batch scripts that perform the following actions:
- Command and Control (C2) Communication: The scripts establish a connection to the attacker’s C2 servers using Secure Shell (SSH) protocols.
- Persistence: The scripts create run key entries in the Windows registry, ensuring the malicious software reboots with the system.
- Credential Harvesting: The scripts capture the user’s credentials under the guise of an update process and exfiltrate them to the attacker’s servers.
- Lateral Movement: Tools like Impacket and Cobalt Strike are deployed to move laterally within the network, potentially leading to further compromise.
In some cases, Rapid7 observed the attacker attempting to deploy Cobalt Strike beacons disguised as legitimate DLL files to other assets within the compromised network.
Indicators of Compromise (IoCs)
- Mass spam emails: A sudden influx of newsletter confirmations and spam.
- Unexpected IT support calls: Calls from supposed IT staff offering unsolicited help.
- Suspicious remote access activity: Installation and usage of RMM tools like AnyDesk or Quick Assist.
- Batch script execution: Presence of unusual batch scripts and SSH connections in system logs.
Mitigation Strategies
- User Awareness and Training: Educate users about the campaign and encourage them to report any suspicious emails or calls. Emphasise the importance of using established IT communication channels.
- Application Allowlisting: Implement policies to allow only approved remote monitoring and management tools to execute within the environment.
- Email Filtering: Strengthen email filtering solutions to better handle mass spam emails and prevent them from reaching user inboxes.
- Network Controls: Block domains associated with malicious activities and newly registered domains using network proxy devices.
- Endpoint Protection: Use endpoint detection and response (EDR) solutions to monitor for and block malicious script execution and lateral movement attempts.
Response to an Attack
If an organisation suspects or confirms a compromise, immediate actions should include:
- Isolate Affected Systems: Disconnect compromised systems from the network to prevent further spread.
- Change Credentials: Reset passwords for affected user accounts and review account activity for unauthorised access.
- Investigate and Remediate: Conduct a thorough investigation to identify the extent of the breach and remove any malicious software. Engage cybersecurity experts if necessary.
The Black Basta ransomware group’s latest campaign highlights the importance of a multi-layered approach to cybersecurity. By combining technical defences with user education and robust incident response plans, organizations can better protect themselves against these sophisticated social engineering attacks. Staying vigilant and prepared is key to mitigating the risks posed by these evolving cyber threats.
Further information available at:
- https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators
- https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks
- https://www.reliaquest.com/blog/new-black-basta-social-engineering-scheme/
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…