Introduction
In the constantly evolving realm of cyber threats, new groups consistently arise, creating turmoil for organizations worldwide. One such group that gained infamy in 2022 is the Russian-speaking threat actor known as Black Basta. With their advanced techniques and highly publicized attacks, Black Basta has become a significant worry for organizations in Europe and English-speaking nations. This blog examines the key traits of Black Basta and offers insights into their recent activities, including their targeted attack on ABB, a renowned automation specialist. DNS, as always, is leveraged during the Black Basta attack chain.
Understanding Black Basta
Uncovered in 2022, Black Basta is an aggressive and highly active cybercriminal organization. Their targets span across both public and private sector entities, employing various tactics to infiltrate systems and extract sensitive data. This group has been associated with the financial cybercrime gang FIN7 (also referred to as Carbanak). Black Basta is known for their use of double extortion methods. This approach involves encrypting company data and demanding substantial ransoms for decryption and additional sums for preventing public exposure of the data.
Black Basta has consistently targeted organizations in Europe and English-speaking countries. Among their victims are well-known entities such as the American Dental Association (ADA), Sobeys, Knauf, Yellow Pages Canada, and most recently, ABB.
A History of Malicious Activity
Prior to the ABB attack, Black Basta was behind a string of cyberattacks impacting organizations in the US, Canada, and Europe:
- In April 2022, the ADA, an oral hygiene advocacy association, suffered a damaging cyberattack, leading to the shutdown of critical systems and disrupting services for 175,000 members. The attackers leaked a significant amount of stolen data, including compromised W2 forms, NDAs, accounting spreadsheets, and sensitive information on ADA members.
- In April 2022, Canadian national grocery retailer Sobeys experienced IT system issues with ransom demands of up to $2 million. The attack impacted Sobeys’ extensive network of 1,500 stores and 134,000 employees across ten provinces.
- German multinational building materials producer Knauf encountered a breach in June 2022. The stolen files included email communications, user credentials, employee contact information, production documents, and ID scans.
- In March 2023, Black Basta launched a cyber assault on Yellow Pages, a prominent Canadian directory publisher. The breach resulted in the leak of sensitive documents containing personal information, such as ID documents with individuals’ date of birth and address, tax documents with Social Insurance Numbers, as well as sales and purchase agreements.
The Tactics, Techniques, and Procedures (TTPs) Used in the Recent Attack on ABB
On May 7th, 2023, Black Basta targeted ABB, a multinational company specializing in industrial control systems (ICS) and SCADA systems for manufacturing and energy suppliers. The breach resulted in the disabling of numerous devices within ABB’s infrastructure.
In response ABB promptly severed VPN connections with its customers in order to prevent the ransomware from spreading. This proactive step aimed to contain the impact and protect other organizations connected to ABB’s network.
ABB further responded publicly to the attack on May 12th, assuring customers and partners that they were actively addressing the situation and minimizing its effects. Most of ABB’s systems have been restored, and ABB continues to deliver secure services to its customers.
Black Basta typically initiates the attack chain by employing spear-phishing campaigns in order to gain initial access. Black Basta collaborates with a category of cyber criminals called initial access brokers (IABs) IABs offer corporate network access in exchange for payment. These IABs sell access to compromised networks, allowing ransomware gangs to concentrate their efforts on utilizing this initial access to launch their attacks. This specialization emerged alongside the introduction of ransomware-as-a-service (RAAS) by organized crime.
After gaining initial access, Black Basta possesses a range of tools at their disposal, such as employing MimiKatz, QakBot stealer, and other techniques. Additionally, Black Basta has been observed installing and utilizing Cobalt Strike and Beacon. Cobalt Strike serves as the command and control application, while Beacons refer to callback sessions from the targeted systems. These Beacons serve as the standard malware payload used by Cobalt Strike to establish a connection with the team server.
As the attack chain unfolds further Black Basta disables antivirus products and can run an encryption payload using Powershell. The subsequent execution of Black Basta’s encryption module uses a broad variety of random filenames to escape detection by endpoint detection and response (EDR) products.
It should be noted that Black Basta has been observed to have taken specific steps to disable DNS services on compromised systems to impede the recovery process by preventing it from accessing the internet and deploying a ransomware variant that specifically targets Linux-based VMware ESXi virtual machines (VMs)1.
This is detailed TTP data2 using MITRE ATT&CK to describe the typical Black Basta attack chain:
| Initial Access | T1078 – Valid Accounts – Has been reported buying compromised accounts on underground forums to access victim systems.
T1566.001 – Phishing: Spear-phishing attachment – Mirrors technique used by Qakbot operators to distribute their payload that will deliver the ransomware. |
| Execution | T1059.003 – Command and scripting interpreter – Uses various scripting interpreters like PowerShell and Windows command shell.
T1569.002 – System services: Service execution – Stops and deletes the service named “Fax”, which it then impersonates for its encryption routing. T1047 – Windows Management Instrumentation – Has been observed to use Windows Management Instrumentation (WMI) to spread and execute files over the Network. |
| Privilege Escalation | T1068 – Exploitation for privilege escalation – Exploits the PrintNightmare vulnerability (CVE-2021-345273) to perform privileged operations. |
| Defense Evasion | T1112 – Modify registry – Modifies registry entries to enable it to replace the desktop wallpaper, set the icon associated with encrypted files, establish persistence, and disable defenses.
T1484.001 – Domain policy modification: Group policy modification – Employs a technique involving the creation of a Group Policy Object (GPO) on a compromised domain controller, which will push out the changes (disable defenses) to the Windows registry of domain-joined hosts. T1562.001 – Impair defenses: Disable or modify tools – Disables Windows Defender and Security Center. T1562.009 – Impair defenses: Safe mode boot – Disables Windows recovery and repair features and restarts the machine in safe mode. T1620 – Reflective code loading – Has some builds that are known to use reflective code loading when executing themselves. |
| Credential Access | T1003 – OS credential dumping – Uses Mimikatz4 to dump credentials. |
| Discovery | T1082 – System information discovery – Uses tools for local system scans.
T1018 – Remote system discovery – Uses tools for remote network scans. T1083 – File and directory discovery – Searches for specific files and directories related to its ransomware encryption. |
| Lateral Movement | T1570 – Lateral tool transfer – Uses tools like PsExec5 and BITSAdmin6 to spread the malware laterally across the network.
T1021.001 – Remote services: Remote Desktop Protocol7 – Uses RDP to spread and execute the malware across the network. |
| Exfiltration | T1041 – Exfiltration over C&C channel – Uses an established command-and-control (C&C) channel to exfiltrate data.
T1567 – Exfiltration over web service – Uses a tool like Rclone to copy stolen data from a client to its cloud server. |
| Impact | T1490 – Inhibit system recovery – Deletes shadow copies.
T1489 – Service stop – Stops and deletes a service named “Fax”, which it then impersonates for its encryption routine. T1486 – Data encrypted for impact – Encrypts files and adds the extension “.basta”. T1491 – Defacement – Replaces the desktop wallpaper to display the ransom note. |
(Source: TrendMicro8)
DNS on the Front Lines
DNS plays a crucial role in the kill chain of most cyberattacks, including some of the techniques used by Black Basta. Domain names have to go through DNS lookup. Almost all of the time DNS serves as a communication channel for command and control (C&C), malware downloads, and data exfiltration. To ensure comprehensive protection against cyberattacks, DNS security is vital for your clouds, on-premise resources, IT/OT environments, and remote/roaming workers.
DNS security plays a vital role in safeguarding users against malicious destinations and identifying abnormal network behavior. It helps detect advanced persistent threats, botnet communications, DNS tunneling, and data exfiltration. The logs generated by DNS activity are valuable for effective incident response. Analyzing these logs provides insights into clients’ historical resource access, enabling a better understanding of their activities.
Furthermore, contextual information obtained through DHCP fingerprinting and IPAM metadata offers additional insights into compromised devices. This includes details such as device type, operating system information, network location, and current as well as previous IP address allocations. Leveraging this information greatly aids in event correlation and assessing the scope of an ongoing breach. It also helps establish connections between DNS requests, devices, and users.
In light of the probable origins of these attacks and the activities of threat groups like Black Basta, it is important to note that BloxOne Threat Defense also tackles EECN IPs. This feed follows a policy-based approach and includes IPs associated with countries in Eastern Europe, and China. These regions are often mentioned as sources of cyberattacks targeting the theft of intellectual property, sensitive or classified data, and credit card or financial information. It is recommended that Infoblox customers at least employ EECN to get visibility to these connections. If their organization has no requirements to engage with IP’s in those countries, consider blocking it.
In Summary
Black Basta has unleashed relentless attacks on public and private sector organizations, caused significant disruptions, financial losses, and exposed sensitive data. The recent attack on ABB highlights the need for organizations to strengthen their cybersecurity measures and remain vigilant against evolving threats. By staying informed, leveraging threat intelligence and tools like protective DNS, organizations can improve their resiliency against groups like Black Basta.
It is important to remember that DNS security (Protective DNS) is a mainstream security control. A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
To find out more about how Infoblox can help, please reach out to us via https://info.infoblox.com/contact-form/.
- Learn more about BloxOne Threat Defense
- Learn more about protective DNS and DNS security here:
IOCs Associated with Black Basta9
SHA-256
| Black Basta’s Ransomware Binary | |
| Hash | Detection Name |
| 01fafd51bb42f032b08b1c30130b963843fea0493500e871d6a6a87e555c7bac | Ransom.Win32.BLACKBASTA.YXCEP |
| c9df12fbfcae3ac0894c1234e376945bc8268acdc20de72c8dd16bf1fab6bb70 | Ransom.Win32.BLACKBASTA.YACEJ |
| 94428d7620fff816cb3f65595978c6abb812589861c38052d30fa3c566e32256 | Ransom.Win32.BLACKBASTA.YACEDT |
| 1cad451cedeb9967c790c1671cd2e3482de87e3e802953f28e426642894ceb7b | Ransom.Win32.BLACKBASTA.YACEDT |
| 81a6c44682b981172cd85ee4a150ac49f838a65c3a0ed822cb07a1c19dab4af5 | Ransom.Win32.BLACKBASTA.YACEDT |
| 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 | Ransom.Win32.BLACKBASTA.YXCD2 |
| 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a | Ransom.Win32.BLACKBASTA.YXCD2 |
| 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa | Ransom.Win32.BLACKBASTA.THDBGBB |
| ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e | Ransom.Win32.BLACKBASTA.THDBIBB |
| 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be | Ransom.Linux.BLACKBASTA.YXCFT |
| 0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef | Ransom.Linux.BLACKBASTA.YXCFJ |
| 22c1bac3755f1d3234b44b6db3864b30c34710f997db61ba46d134c6f7f4e1ff | Ransom.Win64.BLACKBASTA.YACFUT |
| 308a54f1a0cc165036d78aa618d6d4d7409eee50f536b6882550e2a7f209667c | Ransom.Win32.BLACKBASTA.YXCFU |
Black Basta’s Tools
| Hash | Detection Name |
| 8882186bace198be59147bcabae6643d2a7a490ad08298a4428a8e64e24907ad | Trojan.Win32.BLACKBASTA.YXCEJ |
| 0e2b951ae07183c44416ff6fa8d7b8924348701efa75dd3cb14c708537471d27 | Trojan.Win32.BLACKBASTA.YXCEJ |
| 0d3af630c03350935a902d0cce4dc64c5cfff8012b2ffc2f4ce5040fdec524ed | Trojan.Win32.BLACKBASTA.YXCEJ |
| df35b45ed34eaca32cda6089acbfe638d2d1a3593d74019b6717afed90dbd5f8 | Trojan.Win32.BLACKBASTA.YXCEJ |
| 3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc | Trojan.Win32.BLACKBASTA.YXCEJ |
| 72a48f8592d89eb53a18821a54fd791298fcc0b3fc6bf9397fd71498527e7c0e | Trojan.X97M.QAKBOT.YXCFH |
| c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166 | TrojanSpy.Win32.QAKBOT.YXCEEZ |
| ffa7f0e7a2bb0edf4b7785b99aa39c96d1fe891eb6f89a65d76a57ff04ef17ab | TrojanSpy.Win32.QAKBOT.YACEJT |
| 2083e4c80ade0ac39365365d55b243dbac2a1b5c3a700aad383c110db073f2d9 | TrojanSpy.Win32.QAKBOT.YACEJT |
| 1e7174f3d815c12562c5c1978af6abbf2d81df16a8724d2a1cf596065f3f15a2 | TrojanSpy.Win32.QAKBOT.YACEJT |
| 2d906ed670b24ebc3f6c54e7be5a32096058388886737b1541d793ff5d134ccb | TrojanSpy.Win32.QAKBOT.YACEJT |
| 72fde47d3895b134784b19d664897b36ea6b9b8e19a602a0aaff5183c4ec7d24 | TrojanSpy.Win32.QAKBOT.YACEJT |
| 2e890fd02c3e0d85d69c698853494c1bab381c38d5272baa2a3c2bc0387684c1 | TrojanSpy.Win32.QAKBOT.YACEJT |
| 580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a | Backdoor.Win32.COROXY.YACEKT |
| 130af6a91aa9ecbf70456a0bee87f947bf4ddc2d2775459e3feac563007e1aed | Trojan.Win64.QUAKNIGHTMARE.YACEJT |
| c4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79 | PUA.Win32.Netcat.B |
| ac49c114ef137cc198786ad8daefa9cfcc01f0c0a827b0e2b927a7edd0fca8b0 | HackTool.BAT.RDPEnable.A |
| 580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a | Backdoor.Win32.COROXY.YACEKT |
URLs
| 24.178.196.44:2222 | Qakbot C&C |
| 37.186.54.185:995 | Qakbot C&C |
| 39.44.144.182:995 | Qakbot C&C |
| 45.63.1.88:443 | Qakbot C&C |
| 46.176.222.241:995 | Qakbot C&C |
| 47.23.89.126:995 | Qakbot C&C |
| 72.12.115.15:22 | Qakbot C&C |
| 72.76.94.52:443 | Qakbot C&C |
| 72.252.157.37:995 | Qakbot C&C |
| 72.252.157.212:990 | Qakbot C&C |
| 73.67.152.122:2222 | Qakbot C&C |
| 75.99.168.46:61201 | Qakbot C&C |
| 103.246.242.230:443 | Qakbot C&C |
| 113.89.5.177:995 | Qakbot C&C |
| 148.0.57.82:443 | Qakbot C&C |
| 167.86.165.191:443 | Qakbot C&C |
| 173.174.216.185:443 | Qakbot C&C |
| 180.129.20.53:995 | Qakbot C&C |
| 190.252.242.214:443 | Qakbot C&C |
| 217.128.122.16:2222 | Qakbot C&C |
| 172.105.88.234:4001 | Coroxy C&C |
| 23.106.160.188 | Cobeacon C&C |
Endnotes
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/black-basta
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://www.csoonline.com/article/3353416/what-is-mimikatz-and-how-to-defend-against-this-password-stealing-tool.html
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://learn.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool
- https://www.techtarget.com/searchenterprisedesktop/definition/Remote-Desktop-Protocol-RDP
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
- https://documents.trendmicro.com/assets/txt/IOCs_BlackBasta_Spotlight-1gMstIg.txt
