LET'S DIVE DEEPER...
Authored by Champ Clark III, Quadrant CTO
This article will cover insights gleaned regarding the “backend operations” of Black Basta during a recent offensive attack that took place in one of our client environments. In particular, we’ll focus on the servers that were used as part of this “double extortion” campaign.
ADDITIONAL RESOURCES
- TECHNICAL ANALYSIS: BLACK BASTA MALWARE OVERVIEW
- PODCAST: BREAKING BADNESS – QUADRANT SECURITY | BLACK BASTA SPECIAL REPORT
As detailed in our Technical Analysis, Black Basta attempts a “double extortion” scheme to pressure its’ victims into paying a ransom. Unlike traditional ransomware campaigns, Black Basta steals data from the client and then encrypts the data - taking the stolen information and publishing it on their Tor (The Onion Router) website as part of an elaborate high-pressure technique.
As a group, Black Basta performed impressively well with regards to Operational Security (OPSEC). Early on, attribution was made based on previous research and published tactics, techniques, and procedures (TTPs) by various security research teams. A combination of indicators matching known attack chains ultimately lead to a high-confidence attribution that our client was dealing with the Black Basta ransomware group. A few of the main indicators are as follows…
- A PowerShell script containing functions with naming conventions directly related to CobaltStrike.
- An observation of “RClone” being used to exfiltrate data.
- An observation of batch files attempting to disable a number of security applications.
With this in mind, we were confident the event was related to ransomware and fairly confident it was Black Basta. Once the core ransomware EXE was built, Cisco AMP triggered an alert titled “Generic.Ransom.Basta”.
This confirmed our suspicions.
We later took it a step further, reversing the EXE to double-confirm. A detailed analysis of those findings can be found in our Technical Analysis of the event. While Black Basta’s OPSEC was impressive, it was far from perfect. For example, once Black Basta compromised a network, they would log-in to their backend systems from the compromised network. As disclosed in the Technical Analysis, Quadrant utilizes “clipboard” monitoring (copy/paste), allowing us to not only monitor interactions with compromised systems, but also monitor the threat actors' commands within the backend.
A LOVE OF HARDWARE <3
With regards to extortion, Black Basta appears to favor physical hardware. Considering the amount of data being transferred and stored, it is likely more cost-effective, allowing them to maintain better control of the systems they commandeer.
On September 3rd, 2022, a rented system from “reliablesite.net” (“Bare metal servers delivered Instantly”) was booted. This system was running Linux (Debian 11.4), consisting of a Supermicro X9SCX motherboard, 8 core Xeon processor (E3-1245 V2 @ 3.40GHz), 32gb of RAM and a Samsung SSD (PM830 2.5”) 256GB drive. A Seagate 14 terabyte hard drive (ST14000NM001G-2K) had also been added to the system to store victim files.
We estimate that this system was costing the group roughly $200 USD per month, assuming they had the default 1GB unmetered data transfer. It also appears the group utilized multiple hosting providers, as we noted upwards of six different hosting providers around the world. These included Edis.at (Austria), Worldstream.nl (Netherlands), blnwx.com (USA), Vultr.com (USA), Contabo.de (Germany) and Srvape.com (Russia).
We cannot be certain that these hosting services are being abused in the same way that “reliablesite.net” was in our event. Even where this is not the case, these services are likely being abused in one fashion or another -- likely collateral victims themselves, due to abuse of services, fraudulent changes, and unpaid invoices
The 256GB Samsung SSD drive was used as the primary “boot drive”, having Linux/Debian 11.4 loaded. The secondary drive, a Seagate 14TB drive, was mounted to the /home/ftp_white directory, used to house data stolen from Black Basta’s victims.
Data was sent to this server over the unencrypted “File Transfer Protocol'' (FTP), with a data directory structure of /home/ftp_white/VICTIMSNAME. As an example, if the compromised company was “ABC Construction Company”, Black Basta might assign “/home/ftp_white/ABC” to that organization. Quadrant observed that the 14TB drive contained 21 different unique company identifiers, comprising approximately 71% of the drive with exfiltrated/stolen data.
According to Coveware, the average ransomware payment is roughly $230,000 USD. With this figure in mind, assuming all victims pay the ransom, this particular data-store is worth upwards of $4.8 million.
Quadrant has had the opportunity to work with Incident Response (IR) teams that have negotiated ransom payments with Black Basta in the past, informing us that $230,000 is on the lower end, with median averages close to double for Black Basta. With this in mind, the data-store is approaching a value near $10 million for the group.
Realistically, it’s unlikely all victims paid the ransom and the true value is likely lower, mostly due to companies refusing to negotiate with ransomware operators. In any event, the data to Black Basta is worth something in the ballpark of millions.
EXFILTRATING DATA
On the Linux server that would be receiving exfiltrated data, the group loaded “vsftp” (version 3.0.3), a popular FTP service configured to receive data over an unencrypted connection.
Since Black Basta utilizes unencrypted FTP, it might be possible to detect and stop data exfiltration early on by identifying such FTP protocol usage. Detection can easily be accomplished through packet inspection with software services such as Suricata.
When the Black Basta threat actor’s initiate “RClone” on the file server, “RClone” makes an unencrypted FTP session to its data exfiltration server. As part of this initial connection, credentials are transferred in clear text, leading to quite the security conundrum. Technically speaking, if the victim has packet inspection within their network, recovering the username and password used during the exfiltration is simple. Quadrant was able to recover the username “ftp_white” with a randomly generated password.
The conundrum in questions is that the user “ftp_white” obviously has “write access” Black Basta’s exfiltration system. It is also likely that the “ftp_white” user can delete data from their server. An immediate gut-response by the ransomware victim is to access the server and delete the data.
In the U.S., this is fraught with issues. If the victim were to delete their own exfiltrated data, this would technically constitute a federal offense per the “The Computer Fraud and Abuse Act” (CFAA) of 1986. As shown in the “Hardware” section of the article, even with it being extremely unlikely that “collateral damage” might occur, the victims' hands are legally tied.
To compound this catch-22, if the data exfiltration is stopped, the threat actor is likely to retaliate by encrypting all systems in order to retain control over the victim. Quadrant observed Black Basta monitoring directory sizes and transfer status. The same retaliation would be likely in the event the victim attempts to “delete” their own data.
Future legislation, such as the “Active Cyber Defense Certainty Act”, also known as the “Hack Back Bill” might someday change this unfortunate set of circumstances.
BUT, WHAT ABOUT...
A few clever security practitioners might suggest engaging with the hosting provider to assist in “taking down” the threat actor data exfiltration server. Quadrant has had direct experience ranging from extremely helpful networking teams to completely counterproductive and hostile conversation. In some cases, contacting the hosting provider may even do more harm than good.
In one particularly egregious event, Quadrant staff reached out to a hosting company explaining that one of their servers was being used in a ransomware campaign. The hosting company responded:
“We have forwarded this abuse complaint to our customer and will notify you upon resolution”.
This is not exactly the desired response expected during an active ransomware incident.
It appears the Black Basta team likely considered these scenarios and/or the possibility they might have the server confiscated or sunset. To mitigate that risk, Quadrant noticed a constant Secure Shell (SSH) connection from a hosting provider in Sheridan, Wyoming, USA transferring considerable data. We’ve speculated this connection was established to transfer data to a third-party host, so in the event the primary exfiltration server was shutdown, they would retain a copy of the data.
SERVER MAINTENANCE AND LOGINS
Quadrant observed maintenance events related to the Black Basta data exfiltration server from 59 unique IP addresses. Something that stood out while analyzing these maintenance events was their sheer dedication to OPSEC best-practices. Using Quadrant Threat Intel (Bluedot) and various open-source threat intelligence feeds such as https://spur.us, VirusTotal, and https://www.abuseipdb.com, a picture was painted of threat actors who vigilantly attempt to cover their tracks.
Access and maintenance appear to primarily happen over Secure Shell (SSH) as the user “root”, with the threat actor using a predefined SSH password. This password was likely generated similarly to how the “ftp_white” was generated (automated).
All logins to the server originated from proxies or other hosting providers, meaning zero logins appeared to come from residential or corporate IP address blocks.
Some SSH logins came over the “Tor” (The Onion Router) network. If Tor wasn’t used, Black Basta utilized various “pay” VPN services, such as Mullvan VPN, Private Internet Access, and Express VPN. The few connections made to the Black Basta data exfiltration server that weren’t related to a proxy service were from additional hosting providers. For example, Edis.at (Austria), Worldstream.nl (Netherlands), blnwx.com (USA), Vultr.com (USA), Contabo.de (Germany) and Srvape.com (Russia).
Quadrant estimates these connections were from other servers that Black Basta “owned” and controlled.
While Black Basta OPSEC practices were impressive within their own “network”, they commonly made mistakes within target networks. For example, making connections from victims' networks into the Black Basta backend servers and assuming the victim will not properly monitor the servers within their environment (for example, the collection of event and “clipboard” logs).
COMMANDS AND TOOLS
Quadrant was able to observe commands that had been executed on the Black Basta exfiltration server. Once a new system was established, the threat actors performed a quick “stress test”, likely to verify the system could handle the loads it would be placed under. They also performed a quick check of the drive layouts and drive status.
- # uptime
- # stress --cpu 40 -m 24 -t 40
- # uptime
- # stress --cpu 55 -m 24 -t 60
- # uptime
- # lsblk
- # smartctl -a /dev/sda
- # smartctl -a /dev/sdb
We then see the threat actor execute the following:
- # nano t.sh
- # chmod +x ./t.sh
- # ./t.sh
Breaking this all down, the threat actor is opening a text editor (nano) and creating a “shell script”, which is then given “execution” permissions.
Quadrant was able to obtain a copy of this shell script, discovering that “nano” is used to “copy and paste” into a text file called “t.sh”. This “t.sh” shell script is essentially a means for Black Basta to automate the provisioning of exfiltration servers.
(Note: a link to the full script is here)
The first thing the shell script does is install multiple utilities, including sudo, rclone, vsftpd, cadaver, dnsutils, expect, and the nginx web server, along with several nginx/apache utilities. We found it particularly interesting that “cadaver” is installed, a WebDAV client command-line tool.
Two variables in the script are then created: “publicUsername” and “publicPassword”. This is the FTP username and password that will be used to exfiltrate data.
- export publicUsername="ftp_white"
- export publicPassword=$(</dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c20; echo "")
- sudo echo "$publicPassword" > "/ftppwd.txt"
(Note: the limited key space that password can be assigned. That is, Black Basta passwords will only contact the characters after “-dc”).
The shell script goes on to create self-signed certificates for the FTP service “vsftp”. The script uses “expect” for automation, simultaneously creating the vsftp.conf file (/etc/vsftpd.conf) and restarting the service.
A couple of lines caught our eye during the setup of the Nginx web server:
- #sudo certbot certonly --standalone --preferred-challenges http -d datbcp.com
- #ssl_certificate_key /etc/letsencrypt/live/datbcp.com/fullchain.pem;
- #ssl_certificate_key /etc/letsencrypt/live/datbcp.com/privkey.pem;
(Note: the # is not a root prompt but rather the command being commented out of the script)
This would seem to indicate that the script might have been used on a machine with the domain “datbcp.com” (we’ll come back to this).
Another command that Quadrant frequently observed was “# mc”
This is a command better known as “Midnight Commander”, a clone of the old MS-DOS application “Norton Commander”. This gives the user a simple UI (ncursers based) to move, copy, and delete files. We found execution of this command particularly interesting because it’s not a command we’ve seen executed by seasoned Linux administrators. In fact, it’s typically utilized by novices in Linux who are not yet comfortable with the Linux command line and file system. This, coupled with the use of “nano”, suggests we’re dealing with an administrator without a lot of Linux experience.
(Note: Yes, we do know very capable administrators that use “nano”)
The Use of Datstr.com and datbcp.com Domains.
During the analysis of “t.sh”, we noticed the domain “datbcp.com”. Quadrant was later able to tie “datstr.com” to the same IP address (143.202.155.26). The “datbcp.com” domain was registered 2022-07-02T15:04:27.00Z and the “datstr.com” domain was registered 2022-07-02T13:27:54Z.
The IP address is in North America (Panama) and the owner of the block is “GRUPO PANAGLOBAL” (AS264617), which points to “webhostinggeeks.com” (down as of this writing).
“datbcp.com” appears to be a Debain 11 box, according to its SSH banner (“OpenSSH 8.4p1 Debian 5+debu11u1”). Ports TCP/443, TCP/989 (FTP like banner), TCP/2022 (“SSH-2.0-SFTPGo_2.4.0”), TCP/8885,.
Alluded to above, Quadrant had observed the installation of “Cadaver”, which is a WebDAV command line Linux tool. Our hypothesis is that Black Basta likely utilizes this tool to move files between the exfiltration server and the “bcpdat.com”.
It appears Black Basta has attempted to keep this service outside of the public view. This domain and IP address are clean and not listed in any threat intelligence database Quadrant has access to. While we don’t completely understand the functionality of this server, it likely serves some other backend purposes of Black Basta.
For more information regarding this story, interested parties should contact [email protected]
FURTHER READING...
