Cybersecurity researchers at VulnCheck have exposed internal conversations between members of the Black Basta ransomware group, revealing rare insights into the groups’ tactics and actionable advice for cybersecurity defenders. The key takeaway? Black Basta generally prioritizes known weaknesses.
Extensive Use of Known Vulnerabilities
The report reveals that Black Basta referenced 62 unique security flaws (CVEs) in their internal discussions, 85.5% of which were already being exploited in the wild.
Obviously, these are concerning figures, but they have a major silver lining: organizations can take relatively simple steps to protect themselves, by reviewing the CVE list and applying patches immediately.
Rapid Exploitation and Pre-Disclosure Mentions
Perhaps even more concerning, however, is the speed at which Black Basta reacts to new vulnerabilities. Chat logs reveal that the group discusses and acts on security flaws within days of public disclosure. In some cases, they referenced vulnerabilities even before they were officially published, suggesting access to insider information or monitoring of security advisories before public release.
Primary Targets and Attack Methods
Moreover, the research reveals that Black Basta primarily targets email services, remote access systems, and widely used enterprise security solutions. Chat logs reveal frequent discussions on technologies including:
- Microsoft Windows & Office (Outlook, Exchange, SharePoint)
- Citrix NetScaler & Fortinet FortiOS
- Atlassian Confluence & GitLab
- Zimbra & WordPress Plugins
Black Basta’s use of publicly available hacking tools is also of note. For example, VulnCheck researchers observed gang members using Metasploit, Cobalt Strike, Shodan, and Nuclei, to identify and exploit vulnerable systems.
Strategic Targeting of High-Value Victims
The report also reveals that Black Basta’s operations appear to be financially driven, with a preference for targeting high-revenue companies rather than indiscriminate attacks. Their discussions suggest that industries such as legal, financial, healthcare, and industrial sectors are particularly vulnerable, as they are more likely to pay ransoms to protect sensitive data.
Recommendations
In light of these findings, VulnChecker researchers urge organizations to:
- Apply security patches for all known vulnerabilities, especially those listed in the report.
- Monitor for unusual network activity, particularly around remote access services.
- Enhance email security to prevent phishing-based entry points.
- Restrict the use of publicly exposed remote desktop and VPN access to reduce attack surfaces.
Although these findings reflect the remarkable efficacy of Black Basta, they also provide invaluable threat intelligence security teams can use to protect themselves. Staying ahead of the latest vulnerabilities has never been more important, and organizations can only achieve this by taking a proactive approach to security.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.