Cyber Threat Intelligence Briefing - May 20, 2024

This week, we explore Black Basta ransomware gang tactics, techniques, and procedures, and a vulnerability roundup of CVEs for Google Chrome, F5 BIG-IP, and the Cacti Network Monitoring Framework.

Black Basta Ransomware

Reporting from CISA and Microsoft in recent days highlights updated tactics, techniques, and procedures (TTPs) for the Black Basta ransomware gang.

Black Basta has been in operation since 2022, and is believed to be comprised of former Conti ransomware members. During this two year active streak, the group has targeted over 500 entities across the globe. Like many of their ransomware counterparts, Black Basta is a double-extortion group, where they will encrypt systems in the target environment as well as exfiltrate and disclose data if the ransom is not paid.

Initial Access

Black Basta and their affiliates use a variety of techniques to gain an initial foothold in the target environment. The group uses remote exploitation of vulnerable services, social engineering, or valid credentials to gain access.

• Beginning February 2024, Black Basta has been observed exploiting CVE-2024-1709, an authentication bypass vulnerability in ConnectWise ScreenConnect 23.9.7 and prior.
• Black Basta affiliates have been observed using traditional spearphishing techniques.
• Microsoft Threat Intelligence observed Storm-1811 (a cybercriminal group/affiliate known to deploy Black Basta) using vishing (voice phishing) to impersonate Microsoft tech support to convince the target user to use Quick Assist to give the threat actor control of the device.
  • Quick Assist is a built-in remote access tool on Windows that allows a user to share their device over a remote connection.
  • The threat actor will subscribe the target to various email subscription services, effectively "mailbombing" their target. This "technical issue" is the ruse used by the threat actor to convince the victim they are from tech support.

Privilege Escalation

Black Basta has been observed leveraging the hacking tool Mimikatz to dump credentials and elevate privileges. Additionally, the group has been observed exploiting the following vulnerabilities:

• ZeroLogon (CVE-2020-1472) - Vulnerability in the NETLOGON protocol that allows an attacker with network access to a vulnerable domain controller to gain administrator privileges.
• NoPac (CVE-2021-42273 and CVE-2021-42287) - When combined, these Active Directory flaws allow a regular user to become domain administrator.
• PrintNightmare (CVE-2021-34527) - A critical vulnerability in the Windows Print Spooler Service that allows for an authenticated local or remote attacker to run code with SYSTEM privileges.

Lateral Movement

Black Basta uses a variety of common administrative tools for lateral movement throughout the target network, including BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, and Screen Connect. Cobalt Strike was also observed being leveraged by affiliates and is the only tool in this category considered malicious.

Exfiltration and Encryption

• Black Basta affiliates have been observed using rclone to exfiltrate data prior to encryption.
• The group attempts to disable antivirus tools using PowerShell and a custom tool called Backstab.
• Encrypted files will have a .basta file extension.
• Volume shadow copies are deleted using exe.

How To Protect Your Organization

• User awareness training - While Black Basta does sometimes use remote exploitation, they have commonly been observed using various social engineering attacks to gain their initial foothold. Users should be trained to not give remote access or control to anyone who calls them. Users should also exercise extreme caution when clicking any links or downloading attachments sent via email.
• Implement multi-factor authentication (MFA) wherever possible - This can help prevent abuse of compromised credential attacks.
• Patch, patch, patch! - Black Basta has been observed exploiting multiple vulnerabilities, many of which are several years old. Having a fully patched environment can remove many of the methods used by this group.
• Understand and document which tools are allowed and used in your environment - This is increasingly important in the modern ransomware era. Gangs such as Black Basta heavily leverage commercial and open-source administrative tools to accomplish their goals. Since these tools are technically legitimate, their usage is rarely flagged by EDR or antivirus tools and the activity largely goes unnoticed by administrators.
  • Set and enforce a policy that only allows for certain approved tools to be used in the environment.
  • Baseline usage and activity of these tools to detect anomalous behavior.
• Additional mitigation strategies can be found in the CISA report here.

Additional Resources

• https://www.cisa.gov/sites/default/files/2024-05/aa24-131a-joint-csa-stopransomware-black-basta_1.pdf
  
• https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
  
• https://www.bleepingcomputer.com/news/security/cisa-black-basta-ransomware-breached-over-500-orgs-worldwide/
  
• https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks/
  
• https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
  
• https://www.crowdstrike.com/blog/nopac-exploit-latest-microsoft-ad-flaw-may-lead-to-total-domain-compromise/
  
• https://www.tenable.com/blog/cve-2021-34527-microsoft-releases-out-of-band-patch-for-printnightmare-vulnerability-in-windows

Vulnerability Roundup

Multiple 0-days Fixed in Google Chrome

Three high-severity 0-days for Chrome were disclosed by Google. While little detail was revealed regarding these vulnerabilities, they are all under active exploitation and administrators should update Chrome to 125.0.6422.60 or higher as soon as possible.

• CVE-2024-4671 - A use-after-free bug in the Visuals component which can lead to a crash or code execution.
• CVE-2024-4761 - An out-of-bounds write bug in the V8 JavaScript and WebAssembly engine. These types of bugs can lead to data corruption, denial-of-service via a crash, or arbitrary code execution.
• CVE-2024-4947 - A type-confusion bug in the V8 JavaScript and WebAssembly engine, which can lead to out-of-bounds memory access, cause a crash, or execute arbitrary code.

Critical Vulnerabilities in F5 BIG-IP Next Central Manager

F5 released fixes for two vulnerabilities in their BIG-IP Next Central Manager product. This tool allows administrators to control on-prem or cloud BIG-IP Next instances via a management user interface. 

• CVE-2024-26026 - SQL injection vulnerability in BIG-IP Next Central Manager API, allows for authentication bypass.
• CVE-2024-21793 - OData injection vulnerability in BIG-IP Next Central Manager API. This flaw only exists when LDAP is enabled. This can lead to sensitive information disclosure, such as the admin password hash.

According to security firm Eclypsium, who published proof-of-concept exploit code, rogue accounts created after compromising a vulnerable device are not visible from Next Central Manager.

Administrators are urged to patch as soon as possible. If a patch cannot be applied in a timely manner, administrators should restrict access to Next Central Manager to only trusted networks.

Critical Vulnerabilities in Cacti Network Monitoring Framework

A dozen security issues have been addressed in a security update for Cacti, the open-source network monitoring tool. Among these flaws are two critical vulnerabilities that can lead to remote code execution:

• CVE-2024-25641 - File write vulnerability in the "Package Import" feature allows authenticated users with the "Import Templates" permission to execute arbitrary PHP code.
• CVE-2024-29895 - Command injection vulnerability allowing unauthenticated users to execute arbitrary commands no the server when the "register_argc_argv" option of PHP is on.

These flaws affect all versions of Cacti, including and prior to 1.2.26. Administrators are urged to update to version 1.2.27 as soon as possible.

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.