Threat Research

DNS Early Detection – Breaking the Black Basta Ransomware Kill Chain

Infoblox

The FBI, CISA, HHS, and MS-ISAC have issued a cybersecurity alert regarding the Black Basta ransomware, which has impacted at least 12 critical infrastructure sectors, particularly the Healthcare and Public Health sectors. This ransomware variant is known for its phishing attacks and exploitation of vulnerabilities, operating through a double-extortion model. Infoblox has successfully identified and blocked numerous malicious domains associated with Black Basta, helping to mitigate risks for organizations. Affected: Healthcare and Public Health sectors, critical infrastructure sectors

Keypoints :

  • The FBI, CISA, HHS, and MS-ISAC have issued a joint alert on Black Basta ransomware.
  • Black Basta has affected over 500 global organizations, particularly in critical infrastructure sectors.
  • Initial access is gained through phishing and known vulnerabilities.
  • Uses a double-extortion model to encrypt systems and exfiltrate data.
  • Victims are directed to communicate through .onion URLs in ransom notes.
  • Infoblox identified and blocked 37 high-risk domains associated with Black Basta.
  • Healthcare organizations are particularly vulnerable due to reliance on technology and personal health data.
  • Infoblox Threat Intel has proven effective in identifying malicious domains sooner than OSINT.

MITRE Techniques :

  • Initial Access:
    • Phishing (T1566): Used spear phishing emails for initial access.
    • Exploit Public-Facing Application (T1190): Exploited vulnerabilities such as CVE-2024-1700 for access.
  • Privilege Escalation:
    • Exploitation for Privilege Escalation (T1068): Used credential scraping tools like Mimi Katz and PrintNightmare.
  • Defense Evasion:
    • Masquerading (T1036): Utilized reconnaissance with innocuous file names.
    • Impair Defenses: Disable or Modify Tools (T1562.001): Deployed Backstab to disable EDR tools.
  • Execution:
    • Command and Scripting Interpreter: PowerShell (T1059.001): Used PowerShell to disable antivirus.
  • Impact:
    • Inhibit System Recovery (T1490): Deleted shadow copies using vssadmin.exe.
    • Data Encrypted for Impact (T1486): Encrypted files using a public key.

Indicator of Compromise :

  • Domain: trailshop[.]net
  • Domain: realbumblebee[.]net
  • Domain: investrealtydom[.]net
  • Domain: webnubee[.]com
  • Domain: buyblocknow[.]com

Full Story: https://blogs.infoblox.com/threat-intelligence/dns-early-detection-breaking-the-black-basta-ransomware-kill-chain/