In this post, we explore some of the tactics used by the Black Basta ransomware group to gain initial access to victims’ networks. Black Basta is a ransomware-as-a-service (RaaS) group that first appeared in April 2022. After gaining access to victims’ networks, the group escalates privileges and moves laterally within the network, identifying sensitive data and exfiltrating files before running its encryption processes. The group then drops a ransomware note and demands payment to prevent the publication of the stolen data and to obtain the keys to decrypt the encrypted files. The group targets multiple industry sectors including healthcare organizations, primarily in North America, Europe, and Australia.
The group’s tactics are constantly evolving; however, one of the most common tactics used for initial access is email phishing, either by sending an email with a hyperlink to a malicious website or an infected email attachment. The group’s phishing campaigns aim to deliver Qakbot malware, which is used to provide persistent access to victims’ networks (via autorun entries and scheduled tasks), and for running PowerShell scripts to disable security solutions. The malware is then used to deliver additional malicious payloads such as Cobalt Strike, and legitimate software tools such as Splashtop, Mimikatz, and Screen Connect.
Recently, the group has been observed using a new tactic called email bombing as an alternative way of gaining initial access to networks. With email bombing, the selected targets’ email addresses are sent large volumes of spam emails, often by signing the user up to multiple mailing lists or spamming services simultaneously. After receiving a large volume of spam emails, the user is prepared for the next stage of the attack.
The threat actor reaches out to the user, often via Microsoft Teams or over the phone, and impersonates a member of the IT help desk. The threat actor claims they have identified a problem with spam email and tells the user that they need to download a remote management tool to resolve the issue.
If the user agrees, they are talked through downloading one of several tools such as QuickAssist, AnyDesk, TeamViewer, or ScreenConnect. The threat actor then uses that tool to remotely access the user’s device. These tools may be downloaded directly from the legitimate vendor’s domain; however, since many businesses have controls in place to prevent the installation of unauthorized remote access tools, the installation executable file may be downloaded from SharePoint. Once installed, the threat actor will use the remote access to deliver a range of payloads.
Email bombing is a highly effective tactic as it creates a need to have an issue resolved. Once on the phone or in conversation via Microsoft Teams, the threat actor is able to try other methods for installing the remote access tools if they fail due to the user’s security settings.
Email bombing may be used by multiple threat actors for initial access, and phishing remains the most common method for gaining a foothold in networks for follow-on attacks. Implementing defenses against these tactics will significantly improve your defenses and make it harder for threat actors to breach your network.
An Advanced Spam Filter
An advanced spam filter is a must, as it can identify and block phishing attempts and reduce the effectiveness of email bombing. Next-gen spam filtering software incorporates AI and machine learning algorithms to thoroughly assess inbound emails, checking how they deviate from the emails typically received by the business, and helping to flag anomalies that could indicate novel phishing attempts.
A spam filter should also incorporate email sandboxing in addition to antivirus software protection, as the latter can only detect known threats. Novel malware variants and obfuscated malware are often missed by antivirus software, so a sandbox is key to blocking malware threats. After passing initial checks, an email is sent to the email sandboxing service for deep analysis, where behavior is checked for malicious actions, such as attempted C2 communications and malware downloads.
SpamTitan incorporates machine learning algorithms, sandboxing, and link scanning to provide advanced protection against phishing and malware attacks. SpamTitan was recently rated the most effective spam filter in recent independent tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.99% of spam emails, giving the solution the highest overall score out of all 11 spam filtering services put to the test.
Security Awareness Training
It is important to provide regular security awareness training to the workforce, including all employees and the C-suite. The most effective training is provided regularly in small chunks, building up knowledge of threats and reinforcing security best practices. This is easiest with a modular computer-based training course. When new tactics such as email bombing are identified, they can be easily incorporated into the training course and rolled out to end users to improve awareness of specific tactics. Also consider running phishing simulations, as these have been shown to be highly effective at reinforcing training and identifying knowledge gaps that can be addressed through further training.
TitanHQ makes this as easy as possible with the SafeTitan security awareness training and phishing simulation platform. The platform includes hundreds of engaging and enjoyable training modules covering all aspects of security and threats employees need to be aware of, while the phishing simulation platform makes it easy to create and automate internal phishing simulations, which automatically trigger relevant training content if the user fails the simulation.
Give the TitanHQ team a call today for further information on SpamTitan and Safetitan, for a product demonstration, or to arrange a free trial.