FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign


Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.



FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this years most prolific ransomware families.
Thats the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.
SentinelOnes investigation
into Black Bastas activities also unearthed new information about the threat actors attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victims Active Directory environment.
They found Black Basta operators are exploiting last years
PrintNightmare
vulnerability in Windows Print Spooler service (
CVE-2021-34527
) and the 
ZeroLogon
 flaw from 2020 in Windows Netlogon Remote Protocol (
CVE-2020-1472
) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging NoPac, an exploit that
combines two critical Active Directory design flaws
from last year (
CVE-2021-42278
and
CVE-2021-42287
). Attackers can use the exploit to escalate privileges from that of a regular domain user all the way to domain administrator.
SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfects network scanner, and WMI. Its after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as
selling access to compromised networks
to Black Basta and other ransomware operators. 
We assess it is highly likely the Black Basta ransomware operation has ties with FIN7, SentinelOnes SentinelLabs said in a blog post on Nov. 3. Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.
The Black Basta ransomware operation surfaced in April 2022 and has claimed at least 90 victims through the end of September. Trend Micro has described the ransomware as
having a sophisticated encryption routine
that likely uses unique binaries for each of its victims. Many of its attacks have involved a double-extortion technique where the threat actors first exfiltrate sensitive data from a victim environment before encrypting it. 
In the third quarter of 2022,
Black Basta ransomware infections accounted for 9%
of all ransomware victims, putting it in second place behind LockBit, which continued by far to be the most prevalent ransomware threat — with a 35% share of all victims, according to data from Digital Shadows.
Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector, says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation.
FIN7 has been a thorn in the side of the security industry for a decade. The groups initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV. 
So, it would not be surprising to see yet another potential association, this time with FIN7, Hoffman says. However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together.
According to SentinelLabs, some of the tools that the Black Basta operation uses in its attacks suggest that FIN7 is attempting to disassociate its new ransomware activity from the old. One such tool is a custom defense-evasion and impairment tool that appears to have been written by a FIN7 developer and has not been observed in any other ransomware operation, SentinelOne said.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FIN7 Cybercrime Group Likely Behind Black Basta Ransomware Campaign