
Black Basta is Bombarding Organisations with Fake Emails and Phone Calls
Recently, a new cyber attack campaign called "Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls" has been targeting organizations by attempting to steal information through fake emails and phone calls. This campaign is aggressively ongoing, aiming to compromise organizational security and obtain sensitive data.
Indicators of Compromise
Domains (94)
startupmartec.netmonitorsystem.nettreeauwin.netotxcarecosmetics.comprotectionek.comtomlawcenter.comwardeli.commasterunix.netreelsysmoona.netauuditoe.comkekeoamigo.commyfinancialexperts.comkolinileas.comconsulheartinc.comgarbagemoval.comtopglobaltv.comsteamteamdev.netthesmartcloudusa.comartspathgroupe.netinvestrealtydom.net+74 moreHashes (8)
b3fe23dd4701ed00d79c03043b0b952e8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f0614c897334e6391e7a2fa3cbcbf773d5a4b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd248c68b2a794ba3d148cae91bdf9c8d357289752a94118b5558418a36d95a5a45f2642ec377c0cee3235571832cb472870IPv4 (20)
185.219.221.136188.130.137.18138.180.142.249104.207.146.2315.235.218.150207.126.152.2425.78.115.67185.190.251.1335.161.245.155185.212.44.205.183.130.92195.123.233.5546.8.16.7795.181.173.22738.180.62.49185.7.214.7946.161.27.151188.130.218.3977.246.101.13564.176.219.106APT Groups
FIN7
Notes
<span id="docs-internal-guid-a9d32988-7fff-a137-7777-a212bdeb6b26"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The "Ongoing Campaign Bombards Businesses with Spam Emails and Phone Calls" poses a persistent and serious threat to organizations. This campaign, using fake emails and phone calls to extract sensitive information, operates at a lower cost for attackers. The relentless nature of this attack highlights the critical need for strong cybersecurity practices and increased employee awareness. Companies must stay vigilant and proactive by implementing comprehensive security measures, training employees to recognize potential threats, and leveraging advanced technologies to reduce the risk of such sophisticated cyberattacks. By doing so, they can safeguard their sensitive data and maintain operational security amidst ever-evolving cyber threats.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">You can find more information about this campaign and many other campaigns on the Campaigns page at </span><a href="https://socradar.io/labs/campaigns/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">SOCRadar Labs.</span></a></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">For more insights on Black Basta, you can read SOCRadar's article on the </span><a href="https://socradar.io/dark-web-profile-black-basta-ransomware/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Black Basta Dark Web Profile.</span></a></p><br></span>
Mitigation
<span id="docs-internal-guid-6cf06e78-7fff-b1da-9b91-7e6939feb0ea"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; color: rgb(0, 0, 0); font-family: Arial, sans-serif; font-size: 14pt; font-weight: 700;">MITIGATIONS</span><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000">To mitigate the risks posed by Black Basta and similar <a href="https://socradar.io/how-to-detect-prevent-ransomware-attacks-2024-ciso-edition/">ransomware attacks</a>, the authoring organizations recommend implementing the following measures:</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b><br></b></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><span style="font-weight: bold;">Patch Vulnerabilities:</span> Regularly update and patch systems, applications, and devices to address known vulnerabilities. Specifically, address vulnerabilities like the ConnectWise CVE-2024-1709 and other known exploits.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b style="">Email Security: </b>Enhance email security protocols to detect and prevent s<a href="https://socradar.io/how-to-identify-spear-phishing/#:~:text=IT%20security%20solutions.-,What%20is%20Spear%20Phishing%3F,tactics%20to%20collect%20sensitive%20information.">pear phishing</a> attempts, a common initial access technique for Black Basta affiliates.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b style="">Endpoint Protection:</b> Deploy and maintain robust endpoint protection solutions, including antivirus and<a href="https://socradar.io/all-you-need-to-know-about-endpoint-security/"> Endpoint Detection and Response (EDR) tools</a>, to detect and mitigate ransomware activity.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b style="">Network Segmentation: </b>Implement network segmentation to contain the spread of ransomware and limit lateral movement within the network.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b>Data Backup and Recovery: </b>Maintain regular backups of critical data and ensure backups are stored securely offline. Test backup restoration procedures regularly to verify their effectiveness.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b>Incident Response Plan</b>: Develop and regularly update an incident response plan that includes procedures for responding to ransomware incidents. Conduct tabletop exercises to ensure readiness.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b>Threat Intelligence: </b>Stay informed about emerging ransomware threats and IOCs through threat intelligence sources like CISA, FBI, and industry partners. Use this information to enhance cybersecurity defenses.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b>Organizations, </b>especially those in critical infrastructure sectors like healthcare, are encouraged to apply these mitigations promptly to reduce the risk of compromise from Black Basta and other ransomware threats. In case of a ransomware incident, promptly report the incident to your local FBI field office or CISA for assistance.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000"><b><span style="background-color: transparent;"></span></b></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font color="#000000">For more detailed technical information, including MITRE ATT&CK techniques, indicators of compromise (IOCs), and tools used by Black Basta affiliates, refer to the <a href="https://www.cisa.gov/sites/default/files/2024-05/aa24-131a-joint-csa-stopransomware-black-basta_0.pdf" style="font-weight: bold;">official PDF report </a>from CISA.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><font><br></font></p><div><font><br></font></div><font><br></font></span><div><font>For up-to-date mitigation tactics, see our blog post on <a href="https://socradar.io/dark-web-profile-black-basta-ransomware/">Black Basta </a><br></font></div><div><br></div><div><br></div>