500 Victims In, Black Basta Reinvents With Novel Vishing Strategy

A new Black Basta campaign is annoying victims into submission with onslaughts of spam emails and fake customer service representatives tricking them into downloading malware.

The news comes against the backdrop of a fresh joint cybersecurity advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC), warning about Black Basta's prolific attacks against critical infrastructure. The ransomware-as-a-service (RaaS) operation, the government says, typically uses spearphishing and software vulnerabilities to gain initial access into sensitive and high-value organizations.

But now, at least one prong of the Black Basta operation is taking a new approach. Instead of such incisive, targeted breaches, researchers from Rapid7 observed it sending gobs of spam emails to victims, only to then call them offering help. When victims accept the help, the intrusion commences.

Thus far, those victims have spanned industries such as manufacturing, construction, food and beverage, and transportation, says Robert Knapp, senior manager of incident response services at Rapid7, adding that, "given the array of organizations impacted, these attacks appear to be more opportunistic than targeted."

Black Basta's Latest, Most Annoying Trick

Black Basta has compromised a wide range of organizations since it was first discovered in April 2022, including a dozen of the 16 US-defined critical infrastructure sectors. In total, affiliates have struck more than 500 organizations globally, most often in the US, Europe, and Australia.

Historically, the least interesting aspect of its modus operandi has been its means of obtaining initial access into systems. As the joint alert mentioned, spearphishing is its go-to, though, since February, affiliates have also been doing the job by exploiting the 10.0 "critical"-rated ConnectWise ScreenConnect bug CVE-2024-1709. The aforementioned veering from the script has been in place since April, Rapid7 researchers said.

Attacks in the latest campaign begin with a wave of emails (enough to overwhelm basic spam protections) to a group of victims in a targeted environment. Plenty of the emails themselves are legitimate, consisting mostly of sign-up notices for newsletters belonging to real, honest organizations.

With targets annoyed and confused, the attackers then start to make calls. One by one they pose as members of the targets' IT staff, offering help with their issue, in a variation of the classic tech-support scam. To do so, they say, the victim needs to download a remote support tool, either the AnyDesk remote monitoring and management (RMM) platform, or Windows' native Quick Assist utility.

If a target does not abide, the attacker simply ends the call and moves on to their next victim.

If the target does run AnyDesk or Quick Assist, the attacker instructs them on how to hand over access to their computer. Once inside, the attacker runs a series of batch scripts masked as software updates. The first of those scripts confirms connectivity with the attacker's command-and-control (C2) infrastructure, then downloads a ZIP archive housing OpenSSH, which enables the execution of remote commands.

For its next annoying trick, the Black Basta script creates run key entries in the Windows registry. These entries point to additional batch scripts, which establish a reverse shell to be executed at run time. Thus an infinite loop is created, where an attacker gets a shell to their command-and-control (C2) any time the victim machine is restarted.

What to Do

Though researchers did observe the attackers harvesting some credentials, notably, they did not spot any instance of mass data exfiltration or extortion. Those steps may be yet to come.

Rapid7 recommended that organizations take stock of which RMM solutions they use, and utilize "allowlisting" tools such as AppLocker or Microsoft Defender Application Control to block any others they don't. For extra safety, organizations can also block domains associated with such disallowed RMMs.

If all else fails, Knapp says, "Should an organization be unable to outright block this activity, the recommended approach would be diligent monitoring and response procedures. Organizations can monitor for the installation and execution of AnyDesk, comparing that activity against their known methods of software deployment which likely originates from expected deployment systems from expected user accounts, and investigate any behavior that falls outside of baselines."