The Black Basta ransomware group has been accused of exploiting ransomware tactics that target vulnerabilities in widely used enterprise technologies.
VulnCheck security researcher, Patrick Garrity, identified 62 unique Common Vulnerabilities and Exposures (CVEs), 53 of which were ransomware exploits.
Exploited Vulnerability Ransomware Tactics
The leaked chat logs reveal that Black Basta ransomware group primarily targets vulnerabilities in common organization technologies. Basically, Black Basta ransomware victims are Microsoft software, Citrix NetScaler, Atlassian Confluence, and Fortinet, Cisco, F5 Networks, and Palo Alto Networks network-edge devices.
“Although there were discussions about discovering new vulnerabilities, it became evident that Black Basta generally prioritizes known weaknesses, often leveraging available tools and proof-of-concept exploits,” Garrity wrote.
Microsoft software was the most frequently targeted in the Black Basta ransomware tactics. Key CVEs exploitations include the ProxyNotShell – Microsoft Exchange Server – and CVE-2020-1472 – Zerologon – a Windows privilege escalation critical vulnerability.
Other vulnerabilities are Palo Alto Networks’ CVE-2024-3400, a zero-day that was widely exploited last spring, and Citrix’s CVE-2023-4966, also known as CitrixBleed. These findings highlight Black Basta’s ransomware tactics that prioritize high value, widely adopted enterprise vulnerabilities for maximum impact.
Black Basta ransomware attack demonstrated an alarming tendency of discussing vulnerabilities just days following security advisories, and this shows the value of fast patching and mitigation. The group prefers to use established vulnerabilities with available exploits to the public instead of discovering new vulnerabilities.
Moreover, they use proof-of-concept exploits and available tools, to simplify their attacks and make them more efficient. Even though not all CVEs were tested to be exploited directly in attacks, proof shows Black Basta ransomware exploits revealed vulnerabilities soon after they are released.
Some of the most referenced vulnerabilities:
- CVE-2023-4966: A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway (CitrixBleed).
- CVE-2024-21762: A zero-day vulnerability in Fortinet’s FortiOS software.
- CVE-2024-1708 and CVE-2024-1709: Two critical ConnectWise ScreenConnect vulnerabilities, which were exploited by multiple ransomware gangs, including Black Basta.
The chat logs also highlighted vulnerabilities shared before they were unveiled:
- CVE-2024-23113: A vulnerability in Fortinet FortiOS.
- CVE-2024-25600: A vulnerability in Bricks Builder WordPress Theme.
- CVE-2023-42115: An Exim Email vulnerability.
Security Measures Against Ransomware Tactics
VulnCheck’s research highlights the importance of organizational monitoring of vulnerabilities, as delayed disclosure can expose systems to ransomware extortion tactics. The Black Basta ransomware attack on widely known vulnerabilities highlights the persistent challenge faced with protecting networks.
The increased threat of how ransomware exploits organizations really goes far beyond corporations, since it can further reach governmental sectors like healthcare, finance and others. In parallel, stolen data could be sold to foreign enterprises which on its own is further fueling cybersecurity risks.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.