Black Basta Ransomware Group Adopts New Vishing Strategy, Targeting Over 500 Organizations

May 13, 2024

Black Basta, a notorious ransomware group, has reportedly adopted a new vishing (voice phishing) technique to trick its victims. This innovative approach involves inundating victims with spam emails and then offering assistance through fake customer service representatives, thereby tricking them into downloading malware. This news emerges in the context of a joint cybersecurity advisory issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC), underlining Black Basta's extensive attacks on critical infrastructure.

The ransomware-as-a-service (RaaS) operation, according to the government, typically employs spearphishing and software vulnerabilities to gain initial access into sensitive and high-value organizations. However, a shift in tactics has been observed by researchers from Rapid7, who noticed the group resorting to spam emails followed by fraudulent assistance calls, marking a departure from their usual targeted breaches. The victims of these attacks span various industries, including manufacturing, construction, food and beverage, and transportation. Robert Knapp, senior manager of incident response services at Rapid7, noted that these attacks seem to be more opportunistic than targeted.

Since its discovery in April 2022, Black Basta has compromised a wide range of organizations, including 12 of the 16 US-defined critical infrastructure sectors. Affiliates have reportedly attacked over 500 organizations globally, predominantly in the US, Europe, and Australia. The group's primary method of gaining initial access into systems has been spearphishing. However, since February, affiliates have also been exploiting the critical-rated ConnectWise ScreenConnect bug CVE-2024-1709.

The latest campaign, observed since April, begins with a wave of emails, enough to overwhelm basic spam protections. The attackers then start making calls, posing as members of the targets' IT staff, and trick victims into downloading a remote support tool, either the AnyDesk remote monitoring and management (RMM) platform, or Windows' native Quick Assist utility. Once access is granted, the attacker runs a series of batch scripts disguised as software updates. These scripts establish a connection with the attacker's command-and-control (C2) infrastructure, download a ZIP archive housing OpenSSH, and create run key entries in the Windows registry to establish a reverse shell.

While some credential harvesting has been observed, there have been no instances of mass data exfiltration or extortion yet. Rapid7 advises organizations to review their RMM solutions and use 'allowlisting' tools like AppLocker or Microsoft Defender Application Control to block any others they don't use. They also recommend blocking domains associated with disallowed RMMs and monitoring for the installation and execution of AnyDesk. If blocking is not possible, diligent monitoring and response procedures are recommended.

Related News

• China-Linked Threat Cluster Exploits Connectwise, F5 Software Vulnerabilities
• North Korean APT Group Kimsuky Exploits ScreenConnect Vulnerabilities to Deploy New ToddleShark Malware
• BlackCat Ransomware Gang Alleges Theft of 6TB Data from Change Healthcare
• FBI and CISA Alert Healthcare Sector of Targeted BlackCat Ransomware Attacks
• Black Basta and Bl00dy Ransomware Gangs Target Unpatched ScreenConnect Servers

Latest News

• QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft
• Microsoft's May 2024 Patch Tuesday Addresses 61 Vulnerabilities Including 3 Zero-Days
• Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape
• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024