What happened?
On 24 February, cybersecurity firm VulnCheck published an analysis of chat logs from a ransomware group known as "Black Basta" showing insight into the technical vulnerabilities that the group favoured in their attacks. The chat logs had been made public by an anonymous leaker calling themselves "ExploitWhispers" earlier in the month. It wasn't clear if this was a disgruntled former member of the group, or a security researcher who had managed to gain access to the logs.
The group are one of the most prolific active criminal ransomware gangs operating, with victims including large household companies and government departments, so details of their attack methods are a trove of useful intelligence for network defenders wanting to get inside the minds of their adversaries.
So what?
Perhaps unsurprisingly, the chats showed that the group largely favoured known vulnerabilities with "proof-of-concept" (POC) code that was freely available. POCs are the building blocks for attackers to easily exploit the vulnerabilities and are a quick and cost-effective way to facilitate the compromise of targets.
The group also revealed that they favoured targeting several initial access devices, email and communications services and Microsoft technologies, likely due to their ubiquitous use by many organisations, a good "way in" to networks and the rich access they provide to useful data for extortion or theft.
The group are keen consumers of new developments, quickly discussing and adopting newly found vulnerabilities into their attacks. They also had privileged knowledge of at least three vulnerabilities before they were officially published, demonstrating that they likely had relationships with bad actors involved in the early discovery of these. On some occasions, they also showed a tentative interest in purchasing exploits. As well as curiosity about newer vulnerabilities, the group were also interested in older yet effective ones, demonstrating their commitment to continual improvement of their attacks.
As well as the vulnerabilities, there was evidence of the group's use of common and sometimes purely legitimate platforms and tools to aid their attacks including ChatGPT, ZoomInfo, GitHub, Shodan, Fofa, Metasploit, Core Impact, Cobalt Strike, and Nuclei among others.
Network defenders are encouraged to review the list of discussed vulnerabilities in the table below against their own networks to ensure that they are not vulnerable to attacks. Furthermore, the focus on Microsoft, edge devices, email and communications serves to focus the minds of defenders on new, impactful vulnerabilities, particularly those that are being actively exploited, or for which there are POCs readily available.
The vulnerabilities discussed by the group
| Software |
CVE Numbers |
Software |
CVE Numbers |
| Fortinet |
CVE-2024-23109, CVE-2024-23108, CVE-2024-21762, CVE-2024-23113 |
Citrix Netscaler |
CVE-2023-3519, CVE-2023-3467, CVE-2023-3466, CVE-2023-4966 |
| Palo Alto Networks Pan-OS |
CVE-2024-3400 |
Checkpoint |
CVE-2024-24919 |
| F5 Big-IP |
CVE-2022-1388 |
Juniper OS |
CVE-2023-36845, CVE-2023-36844 |
| Connectwise |
CVE-2024-1709, CVE-2024-1708 |
Microsoft Windows |
CVE-2020-1472, CVE-2021-40444, CVE-2021-42287, CVE-2021-42278, CVE-2022-30190, CVE-2022-37969, CVE-2023-36874, CVE-2023-36884, CVE-2024-21338, CVE-2024-26169, CVE-2023-36394, CVE-2023-35628 |
| Zyxel |
CVE-2022-30525 |
Atlassian Confluence |
CVE-2021-44228, CVE-2024-21683, CVE-2023-22515, CVE-2022-26134 |
| Brick Builders WordPress Theme |
CVE-2024-25600 |
Cisco |
CVE-2023-20198 |
| Gitlab |
CVE-2023-7028 |
Google Chrome |
CVE-2022-0609 |
| Intel |
CVE-2017-5754, CVE-2017-5753 |
JetBrains |
CVE-2024-27198, CVE-2023-42793 |
| Jenkins |
CVE-2024-23897 |
Linux |
CVE-2024-1086 |
| RARLAB |
CVE-2023-38831 |
VMware Spring |
CVE-2022-22965 |
| Microsoft SharePoint |
CVE-2023-29357 |
Microsoft Office |
CVE-2023-23397, CVE-2023-21716, CVE-2017-11882 |
| Microsoft Exchange |
CVE-2021-26855, CVE-2021-28482, CVE-2021-42321, CVE-2022-41040, CVE-2022-41082, CVE-2023-36745 |
Microsoft Outlook |
CVE-2024-21378, CVE-2024-21413 |
| Exim |
CVE-2023-42115 |
Zimbra |
CVE-2022-27925, CVE-2022-37042, CVE-2022-41352 |
| WordPress SMTP plugins |
CVE-2023-6875, C12VE-2023-7027 |
|
|