A joint cybersecurity advisory was issued on May 10 by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding Black Basta, a ransomware variant identified in April 2022. Black Basta usage is spiking in targeted criminal campaigns and has been used against more than 500 organizations globally that operate in 12 of the 16 U.S. critical infrastructure sectors.
Healthcare delivery organizations (HDOs) in particular are cautioned in the advisory; ransomware actors have favored targeting of HDOs because of their dependency on legacy, end-of-life technology, handling of patients’ personal information, and the impact any downtime of critical systems would have on patient care.
The advisory outlines tactics, techniques, procedures (TTPs), and indicators of compromise (IOCs) summarized here in brief:
Typically, initial access is obtained using spearphishing against targeted users.
Black Basta affiliates use network scanning tools for reconnaissance to target systems for lateral movement employing tools such as Remote Desktop Protocol (RDP) and other remote access tools.
For privilege escalation, they utilize credential scraping tools such as Mimikatz.
Known Exploited Vulnerabilities (KEV) such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-4228), and PrintNightmare (CVE-2021-34527) are often exploited.
This attack employs a double-extortion model, encrypting systems and exfiltrating data for ransom payment to unlock and retrieve the stolen data. This makes systems relying on Windows software, including clinical devices in hospital and operational technology (OT) assets such as engineering workstations, human machine interfaces (HMIs), and historians in industrial environments, particularly vulnerable.
For customers utilizing Claroty’s xDome, Medigate, or Continuous Threat Detection offerings, our products are updated with the latest malicious IPs and domains, triggering alerts for any detected malicious communication , if you are leveraging the offering’s threat detection capabilities. We recommend monitoring for alerts related to Mimikatz, network scanning, or RDP communication. Additionally, patching the targeted KEVs is advised. If patching is not feasible, implementing compensating controls to limit that attacker’s ability to exploit and escalate privileges on target systems is crucial. Claroty recommends utilizing a built-for-cyber physical systems secure access solution for remote connectivity to critical environments.
