CISA, FBI, HHS, MS-ISAC warn critical infrastructure sector of Black Basta hacker group; provide mitigations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published on Friday a joint Cybersecurity Advisory (CSA) addressing the Black Basta hacker group. The move provides cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by known Black Basta ransomware affiliates and identified through FBI investigations and third-party reporting.
Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted various businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.
CISA and partners encourage organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Black Basta and other ransomware incidents. Additionally, critical infrastructure organizations must install updates for operating systems, software, and firmware as soon as they are released; require phishing-resistant MFA (multi-factor authentication) for as many services as possible; and train users to recognize and report phishing attempts to mitigate cyber threats from ransomware.
“Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data,” the advisory disclosed. “Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a [dot]onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.”
It also highlighted that healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. “The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks.”
The advisory also pointed out that Black Basta affiliates primarily use spearphishing to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access. Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709. In some instances, affiliates have been observed abusing valid credentials.
“Black Basta affiliates use tools such as SoftPerfect network scanner (netscan[dot]exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C: \,” the advisory added. “Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.”
The advisory also disclosed that Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527) vulnerabilities for local and Windows Active Domain privilege escalation.
They also revealed that the Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling.
Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files. A [dot]basta or otherwise random file extension is added to file names and a ransom note titled readme[dot]txt is left on the compromised system. To further inhibit system recovery, affiliates use the vssadmin[dot]exe program to delete volume shadow copies.
The advisory urged critical infrastructure organizations to align the mitigations with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.
The agencies also recommend installing updates for operating systems, software, and firmware as soon as they are released; prioritizing updating Known Exploited Vulnerabilities (KEV); and requiring phishing-resistant MFA for as many services as possible. It also suggests implementing recommendations, including training users to recognize and report phishing attempts; secure remote access software; and make backups of critical systems and device configurations to enable devices to be repaired and restored.
Additionally, critical infrastructure organizations must bring about asset management and security; install modern anti-malware software and automatically update signatures where possible for email security and phishing prevention; deliver access management; and vulnerability management and assessment to assist with prioritization.
Related
