Blogs - GYTPOL

Black Basta: Adversary Analysis

Written by Will Matthews | Jul 8, 2024 2:50:27 AM

Within months of its first public appearance, Black Basta left a significant mark in the realm of ransomware – tallying up 19 high-profile enterprise victims in the course of 100+ confirmed targets. A ransomware-as-a-service (RaaS) group responsible for 7.2% of attacks in 2023, Black Basta first emerged in early 2022. 

Unlike many of its counterparts, Black Basta adopts a surgical approach, meticulously targeting organizations across the US, Japan, Canada, the United Kingdom, Australia, and New Zealand. It’s worth noting that the group seems to give particular focus to the US and UK. 

Their modus operandi? Employing a double extortion tactic – encrypting critical data (and servers) while threatening to publicly leak sensitive information.

Sizing Up the Threat

Based on various analyses, they are actively targeting healthcare, manufacturing, critical infrastructure, and financial/legal services. However, given that Black Basta operates on a RaaS model, it would be naive to expect them to limit themselves to only those targets.

Notably, the American Dental Association fell victim to a large Black Basta attack, with its stolen data later appearing on the group’s leak site. Another notable victim was Southern Water. According to Elliptic, a British pioneer in the use of blockchain analytics for financial crime compliance, Black Basta has received at least $107 million in ransom payments since early 2022, spread across 90+ victims. The largest ransom payment received was $9 million, with at least 18 payouts exceeding $1 million.

A paper written in May 2024 by the Joint Cybersecurity Advisory and co-authored by the FBI, CISA, the HHS, and the MS-ISAC highlights the sophistication of Black Basta and  how it’s aligned to the MITRE Att&ck Framework. The paper also offers some technical details on how to prevent an attack – focusing primarily on DNS, IP addresses, file hashes and defensive tooling. 

What’s missing in that paper and so many other analyses however is information on the tools and methodologies that Black Basta uses and how they work. Those all important but often ignored details of their MO are vital. 

More often than not, it’s a simple matter of exploiting misconfigured services and errant privileges. Tools like Qakbottrojan are used to walk straight through doors left open by unpatched (or unpatchable) vulnerabilities, poor PowerShell control in the estate, unmanaged distribution of file shares, and simple Active Directory composition errors. 

The PrintNightmare vulnerability, for example, provides a favorite attack path for the organization. Based on the print spooler vulnerability, PrintNightmare is still effectively a zero-day, despite the fact that Microsoft’s released multiple over the years. The reason? Because all those patches disable the spooler service; a service that many still use and need. 

And even when businesses do not need the service, it can be difficult for them to clearly recognize and confirm as much. Most would rather swallow the risk to their security and avoid the guaranteed disruption to their business. 

Black Basta also exhibits considerable ambition, developing some of it’s own tooling. To encrypt VMware ESXi virtual machines, the group developed a Linux build of its ransomware. 

While Black Basta takes a diverse, opportunities, and somewhat sophisticated approach to initial infiltration – requiring it to bypass and evade technologies like Antivirus, EDR, IPS, and Sandboxing – its approach to spreading across the network is typically much simpler. It exploits the presence of SMB and RDP protocols, their configuration (or rather misconfigurations), and poor cyber hygiene.

Sinisterly Simple Tactics

The reason behind Black Basta's use of these simplistic lateral movement techniques is clear: they are effective. 

The reason these misconfigurations persist are many. But here are the basics:

  • They are so pervasive that their correction would require a full-blown project. (Projects take time and resources)
  • The costs of remediation are guaranteed, while the costs of exploitation are not.
  • For most organizations, ransoms will be affordable (at least relatively speaking). They’re designed that way to improve the appeal of payment over prevention.

On the face of it, the logic checks out. But in truth, it’s deceptive. According to the BBC, 82% of British organizations opt to pay the ransom, yet a mere 4% of them managed to successfully recover their data.

Worse still, there's the danger that once an organization falls victim to such attacks, it becomes a prime target for subsequent assaults. Sometimes by other threat actors and sometimes by those they already paid. 

The Problem With A Traditional Approach to Prevention 

So, what are the costs of manually addressing misconfigurations? Take, for example, a project simply to contain the breach of an actor like Black Basta on a network with 10,000 devices.

Manually bringing protocols such as SMB and RDP under control in a network of 10,000 devices involves several steps, each with associated costs, staffing requirements, timeframes, and business risks.

  • Project Team Formation
    • Recruit subject matter experts in network security, administrators proficient in network infrastructure, scriptwriters for automation tasks, and project managers to oversee the entire process.
  • Current Usage Audit and Planning
    • Conduct a comprehensive audit of the current usage of SMB and RDP across the network.
    • Identify vulnerabilities, misconfigurations, and potential points of exploitation.
    • Develop a strategic plan outlining objectives, timelines, and resource allocations for addressing identified issues.
  • Business Risk Assessment
    • Assess the potential impact of unsecured SMB and RDP protocols on critical business operations.
    • Evaluate the financial, reputational, and operational risks associated with potential security breaches.
    • Prioritize actions based on risk severity and organizational priorities.
  • Testing
    • Set up a controlled testing environment to simulate various attack scenarios targeting SMB and RDP.
    • Assess the effectiveness of proposed security measures in mitigating identified vulnerabilities.
    • Conduct penetration testing to identify any overlooked weaknesses and validate the efficacy of implemented controls.
  • Deployment
    • Implement recommended security configurations and best practices for SMB and RDP across the network infrastructure.
    • Utilize automation tools and scripts to streamline the deployment process and ensure consistency.
    • Monitor the deployment phase closely to address any unforeseen issues and minimize disruptions to operations.
  • Training and Awareness
    • Provide training sessions and awareness programs educating employees about the risks associated with SMB and RDP usage.
    • Promote best practices for securely accessing and utilizing network resources.
    • Encourage employees to report any suspicious activities or security concerns (especially as they relate to SMB and RDP).
  • Continuous Monitoring and Improvement
    • Implement robust monitoring mechanisms to track and analyze network traffic associated with SMB and RDP protocols.
    • Set up alerts for any anomalies or unauthorized access attempts.
    • Regularly review and update security policies and configurations based on emerging threats and industry best practices.
  • Documentation and Reporting
    • Maintain detailed documentation of all implemented security measures, configurations, and incident response procedures.
    • Generate regular reports to provide stakeholders with insights into the effectiveness of the implemented controls and ongoing security posture.

Such a project performed manually could take anything from 9 months to 18 months to complete: clearly the opportunity costs alone would be enormous – as key staff is pulled away from other initiatives and valuable labor hours are poured into a project with no guarantee of success. And this is just for two pretty standard protocols. Not to mention the myriad other misconfigurations that litter a network.

The basic formula is simple:

Costs of ransom

Costs of remediation 

 

If you get a value greater than 1, you should pursue remediation. If you get a value less than 1, you should sit tight.

The problem is that while the cost drivers are relatively straightforward, their probability weights are always going to be speculative. Which is why conducting a proper cross-benefit analysis is not so straightforward.

But what if you could pursue remediation in a highly efficient manner, with a very clear and upfront view of the costs? 

An Alternative Approach

As Black Basta navigates from one endpoint to another via SMB, in some cases it leverages PSexec in tandem with Administrative Privileges. Asserting control over SMB within the organizational framework is therefore paramount. Yet manual intervention poses significant challenges.

Enter GYTPOL. Leveraging unparalleled visibility and push-button remediation, GYTPOL meticulously scans SMB usage across devices, spanning Windows desktops, workstations and servers, along with Linux and MacOS devices. This analysis goes beyond share and protocol logging to audit inherently insecure configurations. 

GYTPOL provides actionable insights, mapping active share usage patterns and making it possible to quickly and easily deactivate redundant shares – streamlining estate audits and shrinking the attack surface.

GYTPOL extends its prowess beyond SMB to encompass RDP, the other primary Black Basta vector of proliferation – offering the organization key oversight and a new layer of control over its usage landscape. With this information, businesses can pinpoint active RDP utilization, identify areas where it remains inactive, and determine where its deactivation is warranted.

This comprehensive approach empowers organizations to optimize their RDP deployment strategies, ensuring both security and operational efficiency. This empowers Infrastructure and Security teams to remove guesswork from the equation and rapidly advance their risk reduction efforts. 

Privilege and Credential Management

Having a handle on user credentials is of paramount importance. However, getting that handle can be very challenging. GYTPOL monitors dozens of metrics to ensure that credentials aren’t being created or used insecurely – from things like password length and expiry, to UAC enablement, service account security, and beyond. 

As organizations and their networks live and grow organically, many things happen:

  • Users start and leave
  • changes are made and left during an emergency
  • Services move
  • Departments and initiatives rise and fall
  • Software changes.

It can leave a wealth of misconfigurations sprawled across the network that remain unseen and ignored for years.

GYTPOL provides a solution that not only brings them into focus, but also facilitates their immediate and frictionless remediation.

More Advanced Protection

As mentioned, if Black Basta can’t exploit misconfigurations, it may move on to more sophisticated methods – leveraging commercially available tools like Cobalt Strike. 

While Cobalt Strike is originally intended for legitimate penetration testing purposes, its versatility also makes it a prime choice for malicious actors.

Cobalt Strike's extensive features span a wide array of areas, making it a potent tool for attackers. But many of the risks presented can be mitigated with the help of smart automation that cleans the device estate.

Here’s some of the vectors Black Basta might look to exploit using Cobalt Strike and how a tool like GYTPOL can be used to help.

Goal and Vector

Defense

Credential Theft

(Pass-the-Hash, Pass-the-Ticket, Golden Ticket and Silver Ticket)

Two privilege abuse methods used by Cobalt Strike are Pass-the-Hash (PtH) and Pass-the-ticket (PtT) 

PtH is centered on NTLM and its weak hashes – reusing them to compromise systems.  

PtT is similar, but focuses on Kerberos, using a captured Kerberos ticket (either from RAM, Network sniffing, or another compromised system). 

GYTPOL provides almost instant visibility into where and how NTLM is being used on the network. It also allows for remediation-at-a-click.

Golden Ticket and Silver Ticket creation rely on poor management of the Kerberos system.

Domain Enumeration

SMB Spider is a mechanism used by Cobalt Strike for enumerating file and print services, uploading and downloading files, credential theft, data exfiltration, and using hosts to pivot traffic through the network.

GYTPOL gives you a handle on SMB usage within an organization and singles out SMBv1 as particularly problematic. Shutting that vector down will greatly hamper exploit efforts, while improving overall security.

Domain Persistence

GYTPOL monitors group policies and access controls to remove unnecessary privileges, monitoring Active Directory for changes and unusual activities. 

The system provides visibility into the use of Built-in Administrator accounts (typically disabled), lists recent GPO changes, tracks Domain Admin Group membership, and audits SID accounts. 

GYTPOL also provides dozens of metrics to check AD, Intune, and GPO configurations.

 

Summary

In the fast-paced world of cybersecurity, Black Basta emerges as a formidable adversary, utilizing sophisticated tactics to target organizations globally. Employing a double extortion strategy, this Ransomware-as-a-Service entity has made a significant and very negative impact across various sectors worldwide. 

There are no silver bullets when it comes to ransomware. Despite valiant human efforts and support from EDR and perimeter security technologies, the threat of ransomware persists. 

Manual techniques at cleansing the network of misconfigurations are not fit for purpose, being time-consuming and expensive, while not particularly effective. GYTPOL provides an elegant alternative and an effective solution – taking quick stock of security gaps and offering immediate remediation.

In short, the system acts as force-multiplier for Security and Infrastructure teams hoping to prevent ransomware attacks.