The security provider Quadrant managed to follow a Black Basta attack live and to evaluate the technical background. The experts do not know the processes at Black Basta, but have also uncovered the loopholes, which can now be monitored. This is a heavy blow for the entire structure of Black Basta, which can no longer be used in this way.
Quadrant recently assisted a customer in an enterprise-wide compromise by the Black Basta ransomware group. This group is a "ransomware as a service" (RaaS) organization known to target medium to large enterprises.
Evaluated Black Basta live attack
The company now provides an overview of the course of the compromise and a technical analysis of observed malware and techniques ranging from a successful phishing campaign to an attempted ransomware explosion. Although some precise details of the threat actor's actions are still unknown, the evidence collected has now allowed conclusions to be drawn about many of the exploits. While customer data has been modified, indicators of compromise including malicious domain names have not been modified.
The whole attack started with a recognized phishing email. After initial phishing emails, the threat actor sent additional phishing emails to the client using similar account names from different domains. With “Qakbot”, the e-mails contained a sophisticated Trojan that started connection attempts. The Suricata engine detected these connection attempts, but no alert was raised by the packet inspection engine.
Direct contacts to Russian C2 domain
Quadrant monitors inbound and outbound enterprise traffic using on-premises packet inspection engine (PIE) appliances running the Suricata detection engine. Finally, the malware was able to find an active C2 server. About 2 minutes elapsed between the first infection and the first successful communication between a compromised host and the C35 domain.
The second stage payload, later found to be likely the Brute Ratel penetration testing framework, was then downloaded via a connection to an IP from Russia. Administrator access was then achieved through various steps. After that, the threat actor also added new administrator accounts to the environment. Finally, ESXi servers were encrypted, but the attack was contained and major damage avoided.
All the insights gained regarding Black Basta's "backend operations" during the offensive attack have been prepared by Quadrant in an expert story. The background with all the technical data on the Black Basta attack was illuminated and made transparent for other experts. This means that other security teams also have a good insight into Black Basta's technical platform and can more easily recognize attacks and take precautions.
Editor/sel
More at Quadrantsec.com