Leaked chats from Black Basta expose targets and tactics

New research from cybersecurity firm VulnCheck has provided an unprecedented look into the operations of the Black Basta ransomware gang, a group that has been increasingly active in attacks against organizations. Analysis of leaked chat logs from Black Basta members has revealed a wealth of information about their preferred targets, tactics, and the speed at which they operationalize vulnerabilities.

Findings from the VulnCheck report

• Targeting Known Vulnerabilities: Black Basta frequently discusses and targets known vulnerabilities with available exploits, demonstrating a focus on efficiency and rapid exploitation. The leaked chats contained 62 unique CVEs, with 53 known to be exploited in the wild, and 44 appearing in the CISA Known Exploited Vulnerabilities (KEV) catalog. This opportunistic approach is further evidenced by their discussion of three CVEs (CVE-2024-23113, CVE-2024-25600, and CVE-2023-42115) even before their official publication.
• Focus on Enterprise Technologies: Their targets are not random. Black Basta prioritizes widely-used enterprise technologies, including Microsoft products (Windows, Exchange Server, Office, Outlook, SharePoint), Citrix NetScaler, Atlassian Confluence, and network edge devices from Fortinet, Cisco, F5 Networks, and Palo Alto Networks. The group also targets email and communication services, likely for initial access and phishing campaigns.
• Targeting Speed: Black Basta often discusses vulnerabilities within days of their public disclosure, highlighting the need for organizations to patch quickly. In some instances, they even discuss vulnerabilities before official publication, emphasizing the importance of proactive vulnerability management.
• Older Vulnerabilities Remain Relevant: While they are quick to adopt new exploits, the group also maintains an interest in older vulnerabilities. A “Top 10 of 2022” list circulating among members includes vulnerabilities such as Follina (CVE-2022-30190), Log4Shell (CVE-2021-44228), and Spring4Shell (CVE-2022-22965), indicating that these older vulnerabilities remain relevant and potent.

Read the full report

What this means for businesses

These findings underscore the critical importance of proactive vulnerability management and patching. Organizations should prioritize patching known vulnerabilities, particularly those mentioned in the VulnCheck report and the CISA KEV catalog. Additionally, implementing robust email security measures and educating employees about phishing threats are crucial steps in mitigating the risk of Black Basta attacks.

“Black Basta’s opportunistic approach and rapid exploitation of vulnerabilities pose a significant threat,” says Patrick Garrity, security researcher at VulnCheck. “Organizations need to be vigilant and prioritize patching to stay ahead of these attacks.”

The Black Basta leaks provide a valuable window into the operations of a sophisticated ransomware group. By understanding their tactics, preferred targets, and the speed at which they weaponize vulnerabilities, organizations can take proactive steps to strengthen their defenses and mitigate the risk of falling victim to these attacks.