“In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts,” the researchers wrote. “While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.”
Living off the land
Impacket is a tool administrators and hackers use to assess and secure network environments. The Black Basta malware Rapid7 observed was using the tool to interact with Server Message Block, a resource in Windows operating systems that allows for files to be shared over a network. When in possession of passwords securing devices inside a network, SMB can be a powerful means for spreading ransomware and other forms of malware. Cobalt Strike, meanwhile, is a tool admins and hackers use to test network security.
Black Basta and its affiliates have long been known to use a wide array of such tools, including BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, Screen Connect, SoftPerfect, and Mimikatz. The use of legitimate tools in cyberattacks is known in security circles as living off the land. By avoiding the use of custom software, the technique makes detection harder.
Besides social engineering to gain an initial foothold inside targeted networks, Black Basta attackers also exploit known vulnerabilities that the organizations have yet to patch. Recent exploited vulnerabilities include the critical Windows vulnerabilities known as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare, as well as CVE-2024-1709 in the ScreenConnect application made by ConnectWise.
Black Basta attackers don’t usually send ransom demands or payment information immediately after compromising a target. Instead, victims receive a unique code for communicating with attackers over an anonymous site on the TOR network. Typically, Black Basta gives the victims 10 to 12 days to pay before stolen data is published on the group’s name-and-shame site.
All three advisories include cryptographic hashes of files, IP addresses, and other forensic evidence organizations use to determine if they have been targeted by Black Basta. They also provide recommendations for protecting networks against intrusions by the group and other ransomware actors.
