Healthcare’s Black Basta Bash

Posted on

If you follow the May 10, 2024, Black Basta “critical action” recommendations, you will most likely be exposed and potentially exploited by the threat actors. Read through the #StopRansomware: Black Basta AA-24-131A and HS-ISAC Black Basta Threat Actor Emerges as a Major Threat to the Healthcare Industry. Then take a step back and mitigate/remediate the active Initial Access vectors we know Black Basta is Bashing our networks.

Here is a suggestion to add to the advisories …..

  • Mitigate (ACLs) and Remediate (patch the vulnerability) the initial access vectors. Focus on the actively exploited CVEs: ConnectWise vulnerability CVE-2024-1709, Multiple VMware ESXi vulnerabilities: CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544; and Fortra GoAnywhere MFT CVE-2024-0204
  • Leverage the free EASM – Attack Surface reports from the Shadowserver Foundation. You do NOT need to buy commercial EASM services. Shadowserver’s Cyber Civil Defence reports have two decades of community service.
  • Create multiple mitigation/remediation teams to cover each of Black Basta’s exploitation chains. Three teams would focus on the Initial Access vectors (the exposures, exposed credentials, and spear phishing). Another team would work on the Discovery and Execution, seeking whether the threat actors are already in the network. Another team would focus on plugging holes in lateral movement. Other teams would patch, review security capabilities, and ensure everything is backed up.

What is happening with Black Basta?

The Ascension Health ransomware breach has launched multiple efforts to push back against the Black Basta Ransomware ecosystem. Multiple advisories were published on May 10th about the Black Basta Ransomware Crew. The Joint Advisory #StopRansomware: Black Basta AA-24-131A was a joint effort by the FBI, MS-ISAC, and the Department of Health and Human Services (HHS). Health-ISAC (Information Sharing and Analysis Center) also reissued a new threat bulletin warning that the Black Basta ransomware gang “has recently accelerated attacks against the healthcare sector.”

Multiple advisors for an established threat actor indicate persistent risk that results in preventable damage. Black Basta is not a new crew. They have been around and focusing on victims for years. Multiple advisories are indications that something is not working.

Perhaps it is the “Advice” that is not working?

While Spear Phishing was Black Basta’s initial access vector, in February 2024, they shifted to exposed vulnerabilities that allowed them to access their target. From the joint advisory …

“Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078].”

This means Black Basta uses a vulnerability to gain access to the victim and uses VALID CREDENTIALS. Black Basta has also been seen buying compromised credentials through Initial Access Brookers (IABs) to obtain initial access.

But, the “official” resistance recommendations was to focus on the Spear Phishing:

We’re missing two of the initial access vectors that teams need to know, take action, and remediate/mitigate before “training users.”

Why are the FBI, MS-ISAC, and HHS ignoring the Initial Access Shift?

I have no idea why. Sometimes, the team crafting the advisory focused on lateral movement and exfiltration and missed the other factors.

The Health Care ISAC points out that in previous Black Bast attacks, the group also used multiple vulnerabilities to breach organizations:

  • ConnectWise ScreenConnect authentication bypass vulnerability – CVE-2024-1709, and path-traversal vulnerability – CVE-2024-1708
  • Microsoft Windows common log file system driver elevation of privilege vulnerability – CVE-2022-35803 VMware OpenSLP vulnerability – CVE-2021-21974
  • Fortra GoAnywhere MFT pre-authentication command injection vulnerability CVE-2023-0669

Rapid Patching of exposed vulnerabilities should be one of the “recommended actions.”

For example, +2500 organizations are currently exposed to the ConnectWise vulnerability CVE-2024-1709. (See the Shadowserver Foundation’s Dashboard)”

Shadowserver Foundations’s CRITICAL: Vulnerable HTTP Report includes Black Basta’s ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190 initial access vector.

  • ConnectWise ScreenConnect RCE vulnerabilities (CVE-2024-1709): An authentication bypass using an alternate path or channel (CVSS 10) and a path traversal issue (CVSS 8.4). Affected versions: ScreenConnect 23.9.7 and prior. Make sure to update to the latest versions! Tagged originally as vulnerable-screen connect as no CVE was originally assigned [this tagging first added 2024-02-20]. Update: these are now tagged cve-2024-1709 after 2024-02-22.
  • Multiple VMware ESXi vulnerabilities: CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8) tagged as cve-2021-21974, cve-2020-3992, cve-2019-5544. As of 2023-02-06, they may be being used in ransomware attacks, as described in this CERT-FR advisory. Note: this check is version-based. It is possible that these services have other mitigations in place. Nevertheless, if you receive an alert, we recommend applying the latest VMware updates!
  • Fortra GoAnywhere MFT CVE-2024-0204 (Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.). If you receive a report from us make sure to review for signs of compromise and follow the Fortra advisory on patching. Please note that remote access to the administration portal is required for remote exploitation. We also share a list of unpatched GoAnywhere MFT instances based on the SSH banner in our Accessible SSH report – this does not mean these devices are remotely exploitable as access to the HTTP admin portal is required for exploitability. Tagged as cve-2024-0204.[tagging first added 2024-01-25].

These reports are all free from the Shadowserver Foundation’s Enterprise Attack Surface Management (EASM) reports. Each organization with an ASN, IP addresses, and Domains can subscribe here to get these reports:

https://www.shadowserver.org/what-we-do/network-reporting/get-reports/

Black Basta’s Bash has Huge Opportunities!

Shadowserver illustrates a considerable exposure to the Black Basta’s actively exploited CVEs: ConnectWise vulnerability CVE-2024-1709; multiple VMware ESXi vulnerabilities: CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544; and Fortra GoAnywhere MFT CVE-2024-0204.

Get the updated Shadowserver Dashboard details for the Black Basta Bash: ConnectWise vulnerability CVE-2024-1709; multiple VMware ESXi vulnerabilities: CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544; and Fortra GoAnywhere MFT CVE-2024-0204

To repeat the recommendation, Read through the #StopRansomware: Black Basta AA-24-131A and HS-ISAC Black Basta Threat Actor Emerges as a Major Threat to the Healthcare Industry. Then step back and mitigate/remediate the active Initial Access vectors. We know Black Basta is Bashing our networks.

  • Mitigate (ACLs) and Remediate (patch the vulnerability)  the initial access vectors. Focus on the actively exploited CVEs: ConnectWise vulnerability CVE-2024-1709, Multiple VMware ESXi vulnerabilities: CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544; and Fortra GoAnywhere MFT CVE-2024-0204
  • Leverage the free EASM – Attack Surface reports from the Shadowserver Foundation. You do NOT need to buy commercial EASM services. Shadowserver’s Cyber Civil Defence reports have two decades of community service. 
  • Create multiple mitigation/remediation teams to cover each of Black Basta’s exploitation chains. Three teams would focus on the Initial Access vectors (the exposures, exposed credentials, and spear phishing). Another team would work on the Discovery and Execution, seeking whether the threat actors are already in the network. Another team would focus on plugging holes in lateral movement. Other teams would patch, review security capabilities, and make ensure everything is backed up.

Reference Articles on Black Basta Ransomware Crew