Dive Brief:
- Researchers analyzed leaked chat logs from the infamous Black Basta ransomware gang and found references to 62 unique CVEs, 53 of which are known to have been exploited in the wild.
-
Black Basta favored vulnerabilities in “widely adopted enterprise technologies” that included Microsoft products, Citrix Netscaler and Atlassian Confluence, as well as flaws in network edge devices from Fortinet, Cisco, F5 Networks and Palo Alto Networks, according to the findings by VulnCheck.
-
VulnCheck’s research revealed that in many cases Black Basta members began discussing CVEs within days of security advisories being published, underscoring the importance of prompt patching and mitigations for critical flaws in widely used applications and devices.
Dive Insight:
The Black Basta chat logs offer a window into the inner workings of one of the most notorious ransomware gangs in recent years. In a blog post published this week, VulnCheck security researcher Patrick Garrity said the gang has a clear preference for targeting known vulnerabilities with publicly available exploits.
“Although there were discussions about discovering new vulnerabilities, it became evident that Black Basta generally prioritizes known weaknesses, often leveraging available tools and proof-of-concept exploits,” Garrity wrote.
Microsoft had the most vulnerabilities referenced in the chat logs with more than flaws that included the ProxyNotShell vulnerabilities in Exchange Server and CVE-2020-1472, a Windows privilege escalation bug better known as Zerologon. The vulnerability with the most references in the chat logs was CVE-2024-3400, a zero-day vulnerability in Palo Alto Networks’ PAN-OS that came under heavy exploitation last spring.
Other notable vulnerabilities discussed by Black Basta include CVE-2023-4966, a critical Citrix NetScaler ADC and NetScaler Gateway vulnerability widely known as CitrixBleed; CVE-2024-21762, a zero-day vulnerability in Fortinet’s FortiOS software that came under attack a year ago; and CVE-2024-1708 and CVE-2024-1709, two critical vulnerabilities in ConnectWise ScreenConnect that were widely exploited last year by ransomware gangs, including Black Basta.
Garrity noted that chat logs references do not necessarily mean Black Basta actors actually used the CVEs in attacks, however.
The chat logs also shed light on Black Basta’s cyberattack strategies. “The group tends to prioritize high-revenue companies over a large number of random targets,” he wrote. “Discussions suggest that fewer high-profile targets generate more revenue than mass-targeting lower-value entities.”
Garrity also said the ransomware gang focuses on organizations in the legal, financial, healthcare and industrial sectors that it believes are more likely to pay ransoms. He also noted that in some cases, Black Basta discussed selling stolen data to competitors or foreign entities.