Leaked internal chat logs from the Black Basta Ransomware-as-a-Service (RaaS) group reveal operational tactics, including a brute-forcing framework named BRUTED, which targets edge network devices for credential-stuffing attacks. The logs, leaked by a Telegram user, indicate a shift in group dynamics and strategies that may disrupt their future operations. Affected: Black Basta RaaS, Business Services, Industrial Machinery, Manufacturing sectors
Keypoints :
- Internal chat logs of Black Basta Ransomware-as-a-Service leaked by user @ExploitWhispers.
- Logs cover communications from September 2023 to September 2024, showcasing the group’s tactics and infrastructure.
- Black Basta has developed a brute-forcing framework named BRUTED, used for credential-stuffing attacks on edge network devices.
- The RaaS group uses double extortion tactics, encrypting data and threatening to leak sensitive information.
- Targeted sectors predominantly include Business Services, Industrial Machinery, and Manufacturing due to their operational significance.
- The leak may have destabilized Black Basta’s operations, leading to potential defection of members to rival groups.
- BRUTED automates mass internet scanning and credential stuffing, posing a significant security threat to organizations.
- Black Basta targets edge network devices like VPNs and firewalls, exploiting known vulnerabilities.
- The group’s operational focus allows for extensive lateral movement and infiltration in victim networks.
- Mitigation strategies for organizations include patch management and strengthening password policies.
MITRE Techniques :
- T1110.004 – Brute Force: Credential Stuffing – Automated attacks against credential databases.
- T1110.002 – Brute Force: Password Cracking – Attempting to guess user passwords through brute-force methods.
- T1190 – Exploit Public-Facing Application – Leveraging vulnerabilities in internet-facing applications for access.
- T1133 – External Remote Services – Using external services to connect with victim networks.
- T1021.001 – Remote Services: Remote Desktop Protocol (RDP) – Exploiting RDP for unauthorized access.
- T1021.004 – Remote Services: SSH – Utilizing secure shell protocols for network access.
- T1486 – Data Encrypted for Impact – Encrypting data for ransom demands.
- T1489 – Service Stop – Disabling services to disrupt operations effectively.
- T1003.001 – OS Credential Dumping: LSASS Memory – Extracting credentials from system memory.
- T1003.002 – OS Credential Dumping: Security Account Manager (SAM) – Accessing credential information from the SAM database.
Indicator of Compromise :
- [Domain] fuck-you-usa[.]com – SOCKS5 Proxy Network
- [IPv4] 45.140.17[.]40 – BRUTED Framework Infrastructure
- [IPv4] 45.140.17[.]24 – BRUTED Framework Infrastructure
- [IPv4] 45.140.17[.]23 – BRUTED Framework Infrastructure
- [IPv4] 45.155.249[.]55 – Brute Ratel C2