{"id":2164,"date":"2025-03-03T08:00:00","date_gmt":"2025-03-03T08:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2164"},"modified":"2025-03-03T08:00:00","modified_gmt":"2025-03-03T08:00:00","slug":"ransomware-access-playbook-what-black-bastas-leaked-logs-reveal","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2164","title":{"rendered":"Ransomware access playbook: What Black Basta\u2019s leaked logs reveal"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Black Basta, one of the most successful ransomware groups over the past several years, had a major leak of its internal communications recently. The logs provide a glimpse into the playbook of a high-profile ransomware group and its preferred methods for gaining initial access to networks, as analysis from security researchers shows.<\/p>\n

\u201cKey attack vectors used by Black Basta include scanning for exposed RDP [remote desktop protocol] and VPN services \u2014 often relying on default VPN credentials or brute-forcing stolen credentials to gain initial access \u2014 and exploiting publicly known CVEs when systems remain unpatched,\u201d researchers from patch management firm Qualys wrote in an analysis<\/a> of the leaked logs.<\/p>\n

Meanwhile, cyber threat intelligence firm KELA has observed correlations between the 3,000 unique credentials present in the leaked logs and previous data dumps from infostealing malware, suggesting relationships with other threat groups who are collecting and then selling such data.<\/p>\n

\u201cKELA has seen the actors sourcing credentials using vulnerabilities and phishing\/spam campaigns, as well as using compromised email credentials and then looking for remote access credentials in the email conversations,\u201d the KELA researchers wrote in a report<\/a>. \u201cThen, these credentials were either used as initial access vector or in lateral movement phase.\u201d<\/p>\n

Finally, the group regularly relies on publicly known vulnerabilities in internet-facing devices, especially flaws that have proof-of-concept exploits available. According to an analysis<\/a> by researchers from vulnerability intelligence firm VulnCheck, the leaked Black Basta logs contained 62 unique CVEs.<\/p>\n

Weaponized exploits and common misconfigurations<\/h2>\n

According to VulnCheck, 53 of the 62 CVEs mentioned in the logs are known to be publicly exploited and 44 also appear in the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity and Infrastructure Security Agency.<\/p>\n

Some of the vulnerabilities mentioned in the logs are old, but widespread, such as the CVE-2022-30190 remote code execution flaw in Microsoft Office remote template feature, also known as the Follina flaw, that has been widely exploited<\/a> via malicious Word attachments. Other well known flaws include Log4Shell<\/a> (CVE-2021-44228), Spring4Shell<\/a> (CVE-2022-22965), and ProxyNotShell<\/a> (CVE-2022-41028, CVE-2022-41040).<\/p>\n

However, according to the communication logs, Black Basta is also generally quick to discuss newly released vulnerabilities, several of which the group seems to have had access to before official publication: Fortinet FortiOS (CVE-2024-23113)<\/a>, Bricks Builder WordPress Theme (CVE-2024-25600), and Exim Email (CVE-2023-42115).<\/p>\n

\u201cWithin days of new security advisories being issued, members discussed vulnerabilities related to products such as Citrix NetScaler, Check Point Quantum Security Gateways, ConnectWise ScreenConnect, Microsoft Office Outlook, Fortinet FortiSIEM, Palo Alto Networks PAN-OS, Atlassian Confluence Server and Data Center, Cisco IOS XE Web UI, Microsoft Windows, GitLab CE\/EE, and Fortinet FortiOS,\u201d the VulnCheck researchers found.<\/p>\n

VulnCheck has also seen evidence that suggests Black Basta members have the resources to develop new exploits or have considered buying zero-day exploits from third-party sources. The group has also regularly discussed a variety of offensive and defensive cybersecurity tools, including\u00a0 ZoomInfo, ChatGPT, GitHub, Shodan, Fofa, Metasploit, Core Impact, Cobalt Strike, and Nuclei.<\/p>\n

Researchers from Qualys, who performed analysis of the vulnerabilities that mirrors VulnCheck\u2019s findings, also extracted from the logs some of the top misconfigurations that Black Basta\u2019s members seemed to be targeting.<\/p>\n

These include SMBv1 being enabled on legacy systems<\/a>; default credentials for a variety of publicly reachable devices, including servers, routers, VPNs, and other IoT devices; weak configurations for popular enterprise VPN solutions from Cisco, Fortinet, and Palo Alto Networks GlobalProtect; exposed RDP without filtering on Windows servers; public AWS S3 buckets; open Jenkins CI\/CD servers; weak MSSQL authentication; Citrix Netscaler misconfigurations; and orphaned DNS records for subdomains<\/a>.<\/p>\n

Many of these vulnerabilities remain active targets for attackers. Attack detection platform GreyNoise reported this week that 23 of the 62 vulnerabilities mentioned in the Black Basta logs have seen active exploitation over the past 30 days<\/a>, which means organizations should immediately assess their potential exposure to them.<\/p>\n

From infostealer to ransomware<\/h2>\n

Infostealers are malware programs designed to scrape login information stored inside browser password stores and other applications. These threats are increasingly being offered as a service on cybercriminal forums, and according to a recent study, their prevalence has increased three-fold<\/a> over the past year. The information stolen by such tools, known as infostealer logs, has increased by 50% on the dark web over the same time.<\/p>\n

KELA researchers highlight one example where such information enabled Black Basta attackers to compromise a Brazilian software and tech support company. The company was compromised around Oct. 18, 2023, using RDweb login credentials that originally appeared in infostealer logs in March 2023.<\/p>\n

Evidence from the Black Basta logs shows attackers sharing additional hashed credential dumps from the company, suggesting they were engaged in lateral movement. It took the attackers six months to obtain useful initial access credentials from an infostealer data dump and then only two days to compromise a company, exfiltrate data for extortion, and deploy the ransomware.<\/p>\n

What\u2019s scarier is that the same infostealer log that contained the initial access credentials, also contained 50 other credentials, some of which appear related to clients of the Brazilian software company. The KELA researchers conclude that the data was likely stolen by compromising the machine of a technical support employee.<\/p>\n

\u201cThis structured approach, from initial access to data theft and public extortion, showcases Black Basta\u2019s strategic use of compromised credentials, internal reconnaissance, and victim profiling to maximize the impact of their ransomware campaigns,\u201d the researchers wrote.<\/p>\n

See also: <\/p>\n

5 things to know about ransomware threats in 2025<\/a><\/p>\n

Ransomware gangs extort victims 17 hours after intrusion on average<\/a><\/p>\n

Emerging ransomware groups on the rise: Who they are, how they operate<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Black Basta, one of the most successful ransomware groups over the past several years, had a major leak of its internal communications recently. The logs provide a glimpse into the playbook of a high-profile ransomware group and its preferred methods for gaining initial access to networks, as analysis from security researchers shows. \u201cKey attack vectors […]<\/p>\n","protected":false},"author":0,"featured_media":2157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2164","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2164"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2164"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2164\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2157"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}