The leaked internal chat communications of the Black Basta ransomware group offer an unprecedented view into how cybercriminals operate, plan attacks, and evade detection.

The Veriti Research team analyzed these chat logs, revealing our favorite exploits, security measures they bypass, and the defenses they fear most.

Veriti Research analyzed these chat communications, exposing:

• Targeted Exploits: Black Basta focuses on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, Fortinet firewalls, and Active Directory.
• Security Evasion Techniques: They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence in compromised networks.
• Cloud-Based Attacks: The group leverages cloud services for malware hosting, remote access, and command-and-control (C2) infrastructure.
• Threat Intelligence Awareness: Attackers are keenly aware of security blacklists (Spamhaus, Rapid7) and adjust their tactics to evade detection.
• Security Defenses That Work: Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations.

Vulnerabilities & Exploits

ESXi Vulnerabilities

• The actors discussed a compromised ESXi system that accepted any password, suggesting they targeted misconfigured or vulnerable VMware ESXi servers.

• They mentioned gathering IP addresses related to Jenkins, which could indicate attempts to exploit misconfigured Jenkins instances.

Citrix & VPN Exploitation.

• They shared Citrix VPN credentials, suggesting interest in compromised VPNs and remote access points:

• The evidences from the discussions shows that the group got access to networks in Mexico, Spain, and US using the two above vulnerabilities

Fortinet VPN Exploits

• Exploits related to Fortinet firewalls and VPNs were referenced – Attackers used Fortinet vulnerabilities to gain access to corporate networks

ProxyShell & Exchange Server Exploits

• Discussion about Exchange Server vulnerabilities:
  CVE-2022-41082, CVE-2021-42321, CVE-2021-28482, CVE-2021-26855 но они старые 

• Confirms historical ProxyShell exploitation for Microsoft Exchange Server attacks.

Zero-Day & Linux Privilege Escalation

• Linux LPE Exploits (CVE-2024-1086)

• A zero-day Linux privilege escalation vulnerability was discussed:
  CVE-2024-1086 Linux LPE

• Text from the chat: Универсальный эксплойт для повышения локальных привилегий, работающий на большинстве ядер Linux между версиями 5.14 и 6.6, Debian, Ubuntu. 

• This indicates targeting of Linux systems for privilege escalation

Brute-force on vCenter & ESXi

• Actors tested brute-force attempts against ESXI – 5 попыток но только с root

• “vCentre – 4 попытки потом просто надо сбрасывать и заново авторизован”

• This confirms brute-force attacks on ESXi/vCenter servers to gain admin access.

Jenkins Exploitation

• Exploiting Jenkins servers for Remote Code Execution (RCE):nginx
  “jenkins эксплоит все что делает, это отображает содержание файла” 

• Suggests leverage of Jenkins misconfigurations to exfiltrate credentials and secrets.

Fortinet VPN & Firewall Exploitation

• Weak administrator passwords
• Exposed Fortinet SSL VPN portals

Black Basta targeted a range of vulnerabilities across VMware ESXi, Citrix VPNs, Fortinet firewalls, Exchange Servers, Jenkins, Active Directory, and RDP.
They obtained targeted IPs from sources like FOFA, Shodan, and compromised credentials.

Security Products discussions:

Black Basta actors frequently discussed security products, including firewalls, endpoint detection and response (EDR) solutions, web application firewalls (WAFs), and cloud security products. Here’s what they mentioned:

Discussions on Firewalls

• One of the operators of BlackBasta suggested misconfigured inbound firewall rules might allow bot traffic:
  может firewall на inbound не настроен 

• Implication: They were likely probing firewall settings to find misconfigurations.

• An operator suspected that a firewall might be blocking access to a compromised target:
  может firewall стоит? 
• Implication: Indicates attempts to bypass firewall restrictions.

Discussions on Endpoint Detection & Response (EDR)

• Multiple EDR solutions was a part of discussions on bypassing or neutralizing these security solutions.

• Techniques to bypass EDR
  Вступить в априорно неравный бой с EDR: анхукать библиотеки, криптовать свой арсенал до посинения, жить с sleep 100500, выполняя по одной команде в сутки. 

• Implication: Attackers unhook security libraries, encrypt their tools, and minimize execution footprints to evade detection.

• Targeted EDR Vendors
  EDR killer update. Bitdefender, Sentinel, CrowdStrike, Windows Defender 10/11, Webroot, Kaspersky, Symantec, Sophos.
• Implication: They likely had a malware component specifically designed to disable multiple EDRs.

Web Application Firewalls (WAFs)

• Discussions suggested manipulating web requests to evade Cloudflare and other WAFs:
  алгоритм как я с C2 общаюсь зареверсили и типо такие же запросы как боты отправляют автоматизировано
• Implication: Attackers reverse-engineered Cloudflare’s bot detection mechanisms to mimic legitimate traffic.

Cloud Security & Services

• Discussions included compromising cloud environments:
  Implication: Suggests interest in cloud account takeovers or invoice fraud.
• RDP logins to cloud-based systems:

Security Solutions Discussed by Black Basta

Black Basta actors showed significant awareness of modern security defenses and actively worked to bypass them.

Firewall Evasion Techniques Used by Black Basta

Black Basta discussed several methods to bypass or exploit firewalls, including zero-day exploits, SSH tunneling, proxychains, and misconfiguration abuse.

Exploiting Firewall Vulnerabilities

Juniper SRX Firewall Unauthenticated RCE

• They purchased or used a zero-day exploit for Juniper SRX firewalls, which granted root-level access.
  Juniper SRX Firewall Unauthenticated RCE – the attacker used shodan as one of the recon tools

• https://www.shodan.io/search?query=html%3A%22Juniper+Web+Device+Manager%22
• Implication: Attackers remotely executed code on Juniper firewalls with zero-click authentication bypass.

Fortinet FortiOS RCE (CVE-2024-21762)

• Discussion on Fortinet firewall remote code execution focusing on FortiOS RCE (CVE-2024-21762)”

• Implication: Attackers used known Fortinet exploits to bypass authentication and execute commands remotely.

Palo Alto GlobalProtect RCE (CVE-2024-3400)

• Command injection vulnerability in Palo Alto GlobalProtect - GlobalProtect RCE (CVE-2024-3400)”

• Implication: This bypass allowed remote execution of commands on vulnerable Palo Alto firewalls.

“CVE-2024-3400 PALO ALTO PAN-OS RCE

SHODAN 43k https://www.shodan.io/search?query=+http.favicon.hash%3A-631559155

This is WORKING EXPLOIT for the vulnerability patched yesterday (15.04), shit on the Github is fake or not working.

It gives root permissions on the target machine.

PRICE IS 15k. 3 copies to sell total.

You put target and command.

It will autoencode in base64 and send request with some headers that make the exploit.“

————————————————————————————————————————————

Abusing Firewall Misconfigurations

Identifying Open Ports & Misconfigured Firewalls

• Attackers discussed firewall misconfigurations allowing unauthorized access:
  “может firewall на inbound не настроен”
• Implication: They attempted to find and exploit improperly configured inbound firewall rules.

Firewall Evasion Techniques Used by Black Basta

Black Basta demonstrated advanced firewall exploitation capabilities, using a mix of zero-day vulnerabilities, automated scanning, and exploit purchases.

————————————————————————————————————————————

Discussing taking data from IPS

Black Basta’s Exfiltration of Intrusion Prevention/Detection System (IPS/IDS) Data

Black Basta actors discussed stealing logs, bypassing detection systems, and manipulating SIEM solutions to evade forensic analysis and security monitoring.

IDS/IPS Log Exfiltration

• Attempt to access and extract security logs from an IDS system:
  “надо будет еще потом когда пробьем эксплойтом их запросить в локальной сети сервер или нет” 
• Implication: They planned to check for IDS/IPS logs on local network servers after gaining access.

Testing IPS Responses & Adjusting Attacks

• They actively monitored IPS detection and adapted their methods:
  “если палит ips, то надо резать пакеты”

• Translation:
  “If the IPS detects it, we need to cut up the packets.”

————————————————————————————————————————————

Discussion on Firewall capabilities

Black Basta actors extensively discussed the capabilities, strengths, and weaknesses of different firewall products, including Juniper, Fortinet, and Palo Alto. Their conversations focused on firewall configurations, vulnerabilities, and ways to bypass protections.

1. Juniper Firewall Capabilities

• They analyzed JunOS firewall capabilities, highlighting security mechanisms like Veri-Exec and read-only filesystems:pgsql

• JunOS is an operating system based on FreeBSD developed by Juniper networks

• to run on firewall/vpn devices. This OS manages the device and is responsible

• for operating services. The device is secured in multiple ways like using

• read-only file systems for packages/binaries in the system as well as veri-exec

• which disables executing unsigned or unknown binaries.

• Implication: They researched and documented JunOS security mechanisms before attempting an exploit.

Weakness in Juniper’s Web Management Interface

• They identified a logic bug in Juniper’s Web Device Manager (Embedthis Appweb web server)
• Appweb executes CGI scripts/binaries using the CGI/1.1 standard, but it messes up when exporting environment variables for said scripts/cgis. This appears to be fixed in the latest version of the web server but the version JunOS uses are affected.
• Implication: Juniper’s outdated Appweb implementation was identified as a security risk .

Shodan Queries for Juniper Devices

• They used Shodan to locate exposed Juniper SRX devices:perl

• Shodan query: Link: https://www.shodan.io/search?query=html%3A%22Juniper+Web+Device+Manager%22
• Implication: Black Basta actively searched for exposed Juniper firewalls to exploit.

2. Fortinet Firewall Capabilities

• They referenced Fortinet firewall documentation while planning an attack
  Fortinet FortiOS RCE (CVE-2024-21762)

• A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 6.4.14…

• Allows attacker to execute unauthorized code or commands.
• Implication: They analyzed Fortinet security updates and tracked potential exploits.

Fortinet VPN Discussion

• A conversation about Fortinet VPN authentication mechanisms

• а мне от форти нужно
• Implication: They were likely attempting to bypass Fortinet’s VPN security.

3. Palo Alto Firewall Capabilities

• They mentioned Palo Alto’s security posture and visibility:
  вот как это видят те, кто хостит palo alto 
• Implication: This suggests attackers were monitoring how Palo Alto firewall administrators detect intrusions.

Attempt to Execute Commands in PAN-OS CLI

• A message indicated attempts to access Palo Alto’s command-line interface (CLI):
  сть какой-то доступ к panos cli? 
• Implication: They sought CLI-level access to manipulate firewall rules or disable logging.

4. General Firewall Discussions

• Attackers discussed firewall detection and bypass techniques:
  может firewall на inbound не настроен 
• Implication: They checked for misconfigured inbound rules as a possible entry point.

Cloudflare Firewall Weaknesses

• They referenced Cloudflare’s ability to detect bot traffic:
  алгоритм как я с C2 общаюсь зареверсили и типо такие же запросы как боты отправляют автоматизировано 
• Implication: Attackers reverse-engineered Cloudflare’s bot detection to bypass its protections.

Firewalls Discussed & Their Capabilities

Key Takeaways

1. Juniper SRX – Attackers understood its security mechanisms and found vulnerabilities in outdated web components.

2. Fortinet FortiOS – They tracked exploits, obtained admin credentials, and looked into VPN security.

3. Palo Alto PAN-OS – They tested command execution in the firewall’s CLI.

4. Cloudflare – They reverse-engineered bot detection to evade firewall rules.

—————————————————————————————————————————————

OS Level discussions

Black Basta actively targeted Local Security Authority (LSA) and LSASS (Local Security Authority Subsystem Service) to extract Windows credentials, NTLM hashes, Kerberos tickets, and DPAPI keys. Their discussions and actions suggest systematic exploitation of Windows authentication mechanisms.

LSA & LSASS Dumping

• They successfully dumped LSA secrets, machine account hashes, and DPAPI keys:vbnet

• Implication: They used LSASS memory dumping or registry extraction to obtain:

• Machine account credentials

• Default plaintext password

• Data Protection API (DPAPI) system keys, used to decrypt stored credentials.

NTLM Hash & SAM Database Extraction

• They exfiltrated NTLM hashes from the SAM database:css
  Implication: NTLM hashes can be used for Pass-the-Hash (PtH) attacks .

LSASS Dumping & Mimikatz Usage – LSASS Memory Dump & Offline Analysis

• They used Mimikatz and LSASS dumping techniques:lua
  “Скачиваете dmp файл с вашим названием которое у вас будет, и вот пример запуска скрипта: 

• `python3 dump-restore.py QTNTAPPVCS_10102023_09-32.dmp –type restore`

• и тогда вы можете открыть этот дамп LSASS” 

• Implication: This suggests they dumped LSASS memory and analyzed it offline using Mimikatz or custom scripts.

Kerberos Ticket Extraction from LSASS

• They extracted Kerberos tickets from LSASS memory:csharp
  Implication: Attackers harvested Kerberos tickets for Pass-the-Ticket (PtT) attacks.

Attempt to Move Laterally Using Extracted Credentials

• They tested extracted credentials on a Domain Controller:scss
  “с этой учеткой попробовал зайти на дц(в момент захода отвалилось)” 
• Implication: They used dumped LSA credentials for lateral movement.

Conclusion

LSA & LSASS Exploitation Techniques Used

Black Basta heavily relied on LSASS dumping, NTLM hash extraction, and Kerberos ticket harvesting to escalate privileges and move laterally in compromised networks.

Black Basta’s Use of MSDT (Follina) Vulnerability (CVE-2022-30190)

Black Basta actors discussed and potentially used the MSDT (Follina) vulnerability in their operations. Their discussions included references to exploits, HTML-based payloads, and remote code execution via Microsoft Office documents.

Evidence of Follina Exploitation (CVE-2022-30190)

• Black Basta members listed Follina (CVE-2022-30190) as a key exploit

• Follina (CVE-2022-30190)

• Log4Shell (CVE-2021-44228)

• Spring4Shell (CVE-2022-22965)

• F5 BIG-IP (CVE-2022-1388)

• Google Chrome zero-day (CVE-2022-0609)
• Implication: Follina was among their most valuable exploits, indicating active use or intent to use it.

2. HTML-Based MSDT Exploit

• They shared a simple HTML-based attack leveraging Follina:html
  <html>

<body>

<script>

function exploit() {

document.location = “ms-outlook://run-malicious-code”;

}

</script>

<img src=”x” onerror=”exploit()” />

</body>

</html>

• Implication: This suggests they used or modified public exploits for Follina, likely to bypass security tools.

3. Black Basta’s Use of Microsoft Office Macros & Follina

• They discussed using a specially crafted document to exploit CVE-2022-30190:
  “не нужен макрос, просто ссылка в docx, и все – код исполняется” 

• Translation: “No macro needed, just a link in the DOCX, and the code executes.”
• Implication: They leveraged Microsoft Office documents with embedded links to trigger MSDT without user interaction.

4. Weaponization & Automation of MSDT Exploit

• A request for automation of exploit document generation:
  оба сделай 

• Translation: “Make both x64 and x86 versions.”

• Implication: Indicates an effort to generate exploit variants for different Windows architectures.

No Need for DLL Sideloading

• They confirmed that the exploit didn’t require additional payloads:
  та тут длка не нужна 

• Translation: “No DLL needed here.”
• Implication: Suggests they found a way to execute malicious code directly using MSDT, without needing extra DLL sideloading.

Black Basta discussed and likely used the Follina (CVE-2022-30190) vulnerability in their attack chains. Their discussions highlight:

1. Reliance on MSDT for Remote Code Execution (RCE)

2. Use of HTML-based exploits to launch attacks.

4. Embedding Follina payloads in Office documents for macro-less execution.
5. Efforts to automate exploit generation across x64 and x86 architectures.

Black Basta’s Use of Restricting Anonymous Enumeration Bypass

Black Basta discussed and explored methods to bypass anonymous enumeration restrictions in Windows environments, particularly focusing on Active Directory (AD), orphaned SIDs, and enumeration of SMB/NetBIOS shares.

Bypassing Windows RestrictAnonymous Settings

• Black Basta discussed limitations when anonymous enumeration is disabled:
  “У кого-то пробивалось, когда RestrictAnonymous = 1 ?” 

• Translation:
  “Has anyone managed to get through when RestrictAnonymous = 1?”

• Implication: They actively tested methods to bypass Windows enumeration restrictions.

————————————————————————————————————————————

Black Basta’s External Reconnaissance Techniques

Black Basta engaged in external reconnaissance (OSINT) before attacking a network, using tools like Shodan, Censys, FOFA, and Zoomeye to scan public-facing assets, find vulnerabilities, and gather intelligence on exposed services.

1. Scanning Public-Facing Assets

• щас я поставлю на скан это 

• Translation:
  “Shodan and FOFA — I’m setting up a scan now.”

• Implication: They automated scanning for exposed services .

• Searching for specific domains and IPs:
  я в censys вбивал домен

• Translation:
  “I entered the domain into Censys.”
• Implication: Attackers used domain-based reconnaissance to identify linked infrastructure.

2. Identifying Vulnerable Services

• They collected credentials for various VPN and remote access services:ruby
  Implication: Attackers searched for public VPN portals and tested leaked credentials .

• Shodan queries for identifying vulnerable targets:perl
  “Targets can be found with google dork/shodan/censys?

• Yes. Below shodan query:

• http.html:”<script src=\”/dana-na/\””

• https://www.shodan.io/search?query=http.html%3A%22%3Cscript+src%3D%5C%22%2Fdana-na%2F%5C%22%22
• Implication: They specifically searched for Ivanti VPNs and other web-based services vulnerable to pre-auth RCE attacks.

Black Basta used OSINT and automated reconnaissance tools to identify exposed assets before launching attacks.

—————————————————————————————————————————————

Attacks from and to the cloud

Black Basta leveraged cloud services to launch attacks, exfiltrate data, and host malware. They used cloud infrastructure for command-and-control (C2), remote access, and initial footholds in target networks.

1. Cloud Infrastructure for Malware Hosting

• Black Basta set up virtual private servers (VPS) to distribute malware:
  Implication: They deployed malware distribution points on cloud servers, likely used for phishing campaigns .
• Malware hosted on a cloud server:
  Implication: They hosted malicious payloads on a rented cloud VPS, making it harder for defenders to track them.

2. Cloud-Based Command & Control (C2)

• DNS beacon configurations suggest C2 operations

—————————————————————————————————————————————

IoCs and Feeds

Black Basta actively discussed methods to evade detection based on Indicators of Compromise (IoCs). They analyzed hash evasion, IP reputation bypass, Suricata/Sigma rule evasion, and modifying attack patterns to stay undetected.

1. Hash & File Signature Evasion

• Attackers used automated hash-changing techniques:
  ну md5 шлепает раз в 10 секунд, уже пробовали? 

• Translation:
  “Well, it changes the MD5 every 10 seconds, have you tried it?”
• Implication: They implemented an automated process to alter malware hashes, making static detection ineffective.

2. IP & Domain Reputation Evasion

• Attackers used dynamic IPs to bypass reputation-based blocking:
  айпишник меняется каждые 30 минут, если палят. 

• Translation:
  “The IP changes every 30 minutes if it gets flagged.”
• Implication: They set up automated IP rotation to avoid blocklisting.

Black Basta’s Discussions on Threat Intelligence Feeds

Black Basta members discussed multiple threat intelligence feeds and how they affected their operations. They specifically mentioned Spamhaus, Rapid7, and PT Security, and shared concerns about blacklists, IP reputation tracking, and detection mechanisms.

1. Threat Intelligence Feeds Mentioned

Evasion & Concerns About Intelligence Feeds

• Attackers discussed Spamhaus blocking their infrastructure
  15.204.49.234 – чистый

91.132.139.169 – грязный (Spamhaus)

Spamhaus – это все ( сразу полный пиздец

• Translation:
  “15.204.49.234 – clean
  91.132.139.169 – dirty (Spamhaus)
  Spamhaus means game over instantly.”
• Implication: Spamhaus blacklisting significantly impacted their operations, forcing them to rotate IPs.

Black Basta’s Concerns About Security Products, Intelligence Feeds & Defenses

Black Basta members discussed several challenges posed by security products, threat intelligence feeds, and defensive mechanisms. Their primary concerns included endpoint detection & response (EDR) evasion, firewall issues, IP reputation tracking, and automation in security solutions.

Concerns About Security Products

2. Concerns About Threat Intelligence Feeds

3. Concerns About Defense Capabilities

Black Basta Operations Disrupted by Security Controls

Black Basta experienced multiple failed or disrupted operations due to security defenses, including firewalls, EDR detections, SIEM analytics, and IP blacklists. These incidents forced them to abandon attacks, change tactics, or reconfigure their infrastructure.

—————————————————————————————————————————————

Firewall & Network Security Blocking Operations

• Several remote desktop (RDP) and VPN sessions were blocked, halting access
  Implication: Organizations implemented strict RDP access controls, blocking their remote sessions.

Firewall Blocking Command & Control (C2)

• Firewalls prevented outbound connections, disrupting their botnet:
  ну мой сервак не подключается к тебе получается 

• Translation:
  “Well, my server isn’t connecting to you.”

• Implication: Firewalls blocked outbound C2 connections, stopping communication between infected systems .

• Attempts to reconfigure firewalls to bypass blocking:
  проапдейтим firewall 

• Translation:
  “We’ll update the firewall.”

• Implication: They attempted to adjust their network settings to bypass security rules.

—————————————————————————————————————————————

SIEM & Threat Intelligence Disrupting Operations

• Spamhaus blacklisted their infrastructure, cutting off operations
  91.132.139.169 – грязный (Spamhaus)

• Spamhaus – это все ( сразу полный пиздец   

• Translation:
  “91.132.139.169 – dirty (Spamhaus).
  Spamhaus means game over instantly.”
• Implication: Being flagged by Spamhaus rendered their infrastructure useless, forcing them to rotate servers.

Black Basta’s Operations Disrupted by Security Controls & Their Reactions

Black Basta members faced multiple instances where security products, firewalls, and EDR solutions disrupted their attacks. They expressed frustration, anger, and sometimes panic when security defenses blocked payloads, detected malware, or cut off access.

Operations Stopped by Security Controls

Frustration & Anger at Getting Caught

• Symantec blocking outbound connections
  Falcon, no way to attack 🙁 | outgoing connection blocked by Symantec

• Implication: Attackers were frustrated that Symantec prevented outbound C2 connections.

• SentinelOne’s aggressive detections:
  S1 просто убивает всё. Никак не обойти без своего обхода. 

• Translation:
  “S1 just kills everything. No way to get past without custom bypass.”
• Implication: They were angry that SentinelOne blocked their tools completely.

Black Basta expressed anger and frustration when their operations were blocked by firewalls, EDRs, SIEMs, and endpoint security solutions.

Operations Stopped Due to Security Controls

Anger & Frustration Over Being Detected

Frustrations When Caught by Security Products

• A member was frustrated after being blocked by multiple EDRs:
  я норм прыгал на рапид. проблем не было.   

• не давал читать карбон и типа фалкон сотоварищи   

• Translation:
  “I was moving fine on Rapid, but Carbon Black and Falcon (CrowdStrike) didn’t allow execution.”

• Implication: SentinelOne, Carbon Black, and CrowdStrike blocked execution attempts, causing setbacks.

McAfee Causing Issues Across Multiple Systems

• McAfee’s presence annoyed them:
  макафи ещ в довесок везде 

• Translation:
  “McAfee is everywhere too, as an extra problem.”

• Implication: They found McAfee difficult to bypass, indicating widespread deployment.

Trend Micro’s Unreliable Scanning

• Frustration over Trend Micro’s inconsistent detections:
  там проверка хуй пойми 

• Translation:
  “That check is f***ed up.”

• Implication: They found Trend Micro’s detection mechanism unpredictable, making evasion difficult.

—————————————————————————————————————————————

Black Basta’s Collection of Vulnerability Data from Security Scanners

Black Basta actively sought and collected vulnerability data from various security scanners, including Nessus, Qualys, and Rapid7 Nexpose. They used this information to identify exploitable weaknesses and tailor their attacks accordingly.

Using Public Exploit Scanners

• Attackers used open-source scanners to find vulnerable systems:
  с шодана   

• Translation:
  “From Shodan.”
• Implication: They collected vulnerability data using Shodan to identify exposed systems.

Targeting Misconfigured Nessus & Qualys Scanners

• There were indications they searched for misconfigured scanners:
  можно поставить на скан   

• Translation:
  “We can set up a scan.”

• Implication: They may have attempted to exploit misconfigured Nessus or Qualys instances .

The insights gained from Black Basta’s leaked chat logs serve as a wake up call for organizations worldwide. These attackers are not casual hackers—they are highly coordinated, well funded, and continuously refining their methods.

However, our research also reveals clear opportunities to disrupt their operations:

• Patching vulnerabilities remains the #1 defense. Many of Black Basta’s successful intrusions stem from known exploits (CVE-2024-1086, CVE-2024-21762, ProxyShell, Follina, Fortinet RCEs, etc.) that organizations fail to patch.

• EDR solutions like CrowdStrike, SentinelOne, and Trend Micro are major barriers to attackers. Black Basta members frequently complain about EDR detections, process injections being blocked, and their malware failing to execute.

• Firewalls and SIEM analytics are major roadblocks. Attackers struggle when firewalls block RDP sessions, SIEM solutions detect lateral movement, or threat intelligence platforms blacklist their infrastructure.

• Cloud security remains an underestimated risk. Black Basta abuses AWS, Azure, and Google Cloud for malware distribution and remote access, highlighting the need for strong cloud monitoring and access controls.

Cybercriminals like Black Basta thrive on misconfigurations, unpatched systems, and weak security policies. Organizations that stay ahead of emerging threats, enforce strict access controls, and deploy behavior based security solutions will have the best chance of stopping these attacks before they escalate.

The post Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats   appeared first on VERITI.