{"id":1242,"date":"2023-05-19T14:27:51","date_gmt":"2023-05-19T14:27:51","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=8713"},"modified":"2023-06-06T23:54:44","modified_gmt":"2023-06-06T23:54:44","slug":"black-basta-anatomy-of-the-attack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/05\/19\/black-basta-anatomy-of-the-attack\/","title":{"rendered":"Black Basta: Anatomy of the Attack"},"content":{"rendered":"<h3>Introduction<\/h3>\n<p>In the constantly evolving realm of cyber threats, new groups consistently arise, creating turmoil for organizations worldwide. One such group that gained infamy in 2022 is the Russian-speaking threat actor known as Black Basta. With their advanced techniques and highly publicized attacks, Black Basta has become a significant worry for organizations in Europe and English-speaking nations. This blog examines the key traits of Black Basta and offers insights into their recent activities, including their targeted attack on ABB, a renowned automation specialist. DNS, as always, is leveraged during the Black Basta attack chain.<\/p>\n<p><img data-recalc-dims=\"1\" fetchpriority=\"high\" decoding=\"async\" class=\" wp-image-8714 aligncenter\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/black-basta-anatomy-of-the-attack.jpg?resize=491%2C149&#038;ssl=1\" alt width=\"491\" height=\"149\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/black-basta-anatomy-of-the-attack.jpg 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/black-basta-anatomy-of-the-attack-1.jpg 621w\" sizes=\"(max-width: 491px) 100vw, 491px\"><\/p>\n<h3>Understanding Black Basta<\/h3>\n<p>Uncovered in 2022, Black Basta is an aggressive and highly active cybercriminal organization. Their targets span across both public and private sector entities, employing various tactics to infiltrate systems and extract sensitive data. This group has been associated with the financial cybercrime gang FIN7 (also referred to as Carbanak). Black Basta is known for their use of double extortion methods. This approach involves encrypting company data and demanding substantial ransoms for decryption and additional sums for preventing public exposure of the data.<\/p>\n<p>Black Basta has consistently targeted organizations in Europe and English-speaking countries. Among their victims are well-known entities such as the American Dental Association (ADA), Sobeys, Knauf, Yellow Pages Canada, and most recently, ABB.<\/p>\n<h3>A History of Malicious Activity<\/h3>\n<p>Prior to the ABB attack, Black Basta was behind a string of cyberattacks impacting organizations in the US, Canada, and Europe:<\/p>\n<ul>\n<li>In April 2022, the ADA, an oral hygiene advocacy association, suffered a damaging cyberattack, leading to the shutdown of critical systems and disrupting services for 175,000 members. The attackers leaked a significant amount of stolen data, including compromised W2 forms, NDAs, accounting spreadsheets, and sensitive information on ADA members.<\/li>\n<li>In April 2022, Canadian national grocery retailer Sobeys experienced IT system issues with ransom demands of up to $2 million. The attack impacted Sobeys\u2019 extensive network of 1,500 stores and 134,000 employees across ten provinces.<\/li>\n<li>German multinational building materials producer Knauf encountered a breach in June 2022. The stolen files included email communications, user credentials, employee contact information, production documents, and ID scans.<\/li>\n<li>In March 2023, Black Basta launched a cyber assault on Yellow Pages, a prominent Canadian directory publisher. The breach resulted in the leak of sensitive documents containing personal information, such as ID documents with individuals\u2019 date of birth and address, tax documents with Social Insurance Numbers, as well as sales and purchase agreements.<\/li>\n<\/ul>\n<h3>The Tactics, Techniques, and Procedures (TTPs) Used in the Recent Attack on ABB<\/h3>\n<p>On May 7th, 2023, Black Basta targeted ABB, a multinational company specializing in industrial control systems (ICS) and SCADA systems for manufacturing and energy suppliers. The breach resulted in the disabling of numerous devices within ABB\u2019s infrastructure.<\/p>\n<p>In response ABB promptly severed VPN connections with its customers in order to prevent the ransomware from spreading. This proactive step aimed to contain the impact and protect other organizations connected to ABB\u2019s network.<\/p>\n<p>ABB further responded publicly to the attack on May 12th, assuring customers and partners that they were actively addressing the situation and minimizing its effects. Most of ABB\u2019s systems have been restored, and ABB continues to deliver secure services to its customers.<\/p>\n<p>Black Basta typically initiates the attack chain by employing spear-phishing campaigns in order to gain initial access. Black Basta collaborates with a category of cyber criminals called initial access brokers (IABs) IABs offer corporate network access in exchange for payment. These IABs sell access to compromised networks, allowing ransomware gangs to concentrate their efforts on utilizing this initial access to launch their attacks. This specialization emerged alongside the introduction of ransomware-as-a-service (RAAS) by organized crime.<\/p>\n<p>After gaining initial access, Black Basta possesses a range of tools at their disposal, such as employing MimiKatz, QakBot stealer, and other techniques. Additionally, Black Basta has been observed installing and utilizing Cobalt Strike and Beacon. Cobalt Strike serves as the command and control application, while Beacons refer to callback sessions from the targeted systems. These Beacons serve as the standard malware payload used by Cobalt Strike to establish a connection with the team server.<\/p>\n<p>As the attack chain unfolds further Black Basta disables antivirus products and can run an encryption payload using Powershell. The subsequent execution of Black Basta\u2019s encryption module uses a broad variety of random filenames to escape detection by endpoint detection and response (EDR) products.<\/p>\n<p>It should be noted that Black Basta has been observed to have taken specific steps to disable DNS services on compromised systems to impede the recovery process by preventing it from accessing the internet and deploying a ransomware variant that specifically targets Linux-based VMware ESXi virtual machines (VMs)<sup>1<\/sup>.<\/p>\n<p>This is detailed TTP data<sup>2<\/sup> using MITRE ATT&amp;CK to describe the typical Black Basta attack chain:<\/p>\n<table>\n<tbody readability=\"21\">\n<tr readability=\"5.5\">\n<td><b>Initial Access<\/b><\/td>\n<td readability=\"6\"><b>T1078<\/b> \u2013 Valid Accounts \u2013 Has been reported buying compromised accounts on underground forums to access victim systems.<\/p>\n<p><b>T1566.001<\/b> \u2013 Phishing: Spear-phishing attachment \u2013 Mirrors technique used by Qakbot operators to distribute their payload that will deliver the ransomware.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9.5\">\n<td><b>Execution<\/b><\/td>\n<td readability=\"10\"><b>T1059.003<\/b> \u2013 Command and scripting interpreter \u2013 Uses various scripting interpreters like PowerShell and Windows command shell.<\/p>\n<p><b>T1569.002<\/b> \u2013 System services: Service execution \u2013 Stops and deletes the service named \u201cFax\u201d, which it then impersonates for its encryption routing.<\/p>\n<p><b>T1047<\/b> \u2013 Windows Management Instrumentation \u2013 Has been observed to use Windows Management Instrumentation (WMI) to spread and execute files over the Network.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><b>Privilege Escalation<\/b><\/td>\n<td><b>T1068<\/b> \u2013 Exploitation for privilege escalation \u2013 Exploits the PrintNightmare vulnerability (CVE-2021-34527<sup>3<\/sup>) to perform privileged operations.<\/td>\n<\/tr>\n<tr readability=\"16\">\n<td><b>Defense Evasion<\/b><\/td>\n<td readability=\"17\"><b>T1112<\/b> \u2013 Modify registry \u2013 Modifies registry entries to enable it to replace the desktop wallpaper, set the icon associated with encrypted files, establish persistence, and disable defenses.<\/p>\n<p><b>T1484.001<\/b> \u2013 Domain policy modification: Group policy modification \u2013 Employs a technique involving the creation of a Group Policy Object (GPO) on a compromised domain controller, which will push out the changes (disable defenses) to the Windows registry of domain-joined hosts.<\/p>\n<p><b>T1562.001<\/b> \u2013 Impair defenses: Disable or modify tools \u2013 Disables Windows Defender and Security Center.<\/p>\n<p><b>T1562.009<\/b> \u2013 Impair defenses: Safe mode boot \u2013 Disables Windows recovery and repair features and restarts the machine in safe mode.<\/p>\n<p><b>T1620<\/b> \u2013 Reflective code loading \u2013 Has some builds that are known to use reflective code loading when executing themselves.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Credential Access<\/b><\/td>\n<td><b>T1003<\/b> \u2013 OS credential dumping \u2013 Uses Mimikatz<sup>4<\/sup> to dump credentials.<\/td>\n<\/tr>\n<tr readability=\"6.5\">\n<td><b>Discovery<\/b><\/td>\n<td readability=\"8\"><b>T1082<\/b> \u2013 System information discovery \u2013 Uses tools for local system scans.<\/p>\n<p><b>T1018<\/b> \u2013 Remote system discovery \u2013 Uses tools for remote network scans.<\/p>\n<p><b>T1083<\/b> \u2013 File and directory discovery \u2013 Searches for specific files and directories related to its ransomware encryption.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"5.5\">\n<td><b>Lateral Movement<\/b><\/td>\n<td readability=\"6\"><b>T1570<\/b> \u2013 Lateral tool transfer \u2013 Uses tools like PsExec<sup>5<\/sup> and BITSAdmin<sup>6<\/sup> to spread the malware laterally across the network.<\/p>\n<p><b>T1021.001<\/b> \u2013 Remote services: Remote Desktop Protocol<sup>7<\/sup> \u2013 Uses RDP to spread and execute the malware across the network.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"5.5\">\n<td><b>Exfiltration<\/b><\/td>\n<td readability=\"6\"><b>T1041<\/b> \u2013 Exfiltration over C&amp;C channel \u2013 Uses an established command-and-control (C&amp;C) channel to exfiltrate data.<\/p>\n<p><b>T1567<\/b> \u2013 Exfiltration over web service \u2013 Uses a tool like Rclone to copy stolen data from a client to its cloud server.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td><b>Impact<\/b><\/td>\n<td readability=\"11\"><b>T1490<\/b> \u2013 Inhibit system recovery \u2013 Deletes shadow copies.<\/p>\n<p><b>T1489<\/b> \u2013 Service stop \u2013 Stops and deletes a service named \u201cFax\u201d, which it then impersonates for its encryption routine.<\/p>\n<p><b>T1486<\/b> \u2013 Data encrypted for impact \u2013 Encrypts files and adds the extension \u201c.basta\u201d.<\/p>\n<p><b>T1491<\/b> \u2013 Defacement \u2013 Replaces the desktop wallpaper to display the ransom note.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>(Source: TrendMicro<sup>8<\/sup>)<\/p>\n<h3>DNS on the Front Lines<\/h3>\n<p>DNS plays a crucial role in the kill chain of most cyberattacks, including some of the techniques used by Black Basta. Domain names have to go through DNS lookup. Almost all of the time DNS serves as a communication channel for command and control (C&amp;C), malware downloads, and data exfiltration. To ensure comprehensive protection against cyberattacks, DNS security is vital for your clouds, on-premise resources, IT\/OT environments, and remote\/roaming workers.<\/p>\n<p>DNS security plays a vital role in safeguarding users against malicious destinations and identifying abnormal network behavior. It helps detect advanced persistent threats, botnet communications, DNS tunneling, and data exfiltration. The logs generated by DNS activity are valuable for effective incident response. Analyzing these logs provides insights into clients\u2019 historical resource access, enabling a better understanding of their activities.<\/p>\n<p>Furthermore, contextual information obtained through DHCP fingerprinting and IPAM metadata offers additional insights into compromised devices. This includes details such as device type, operating system information, network location, and current as well as previous IP address allocations. Leveraging this information greatly aids in event correlation and assessing the scope of an ongoing breach. It also helps establish connections between DNS requests, devices, and users.<\/p>\n<p>In light of the probable origins of these attacks and the activities of threat groups like Black Basta, it is important to note that BloxOne Threat Defense also tackles EECN IPs. This feed follows a policy-based approach and includes IPs associated with countries in Eastern Europe, and China. These regions are often mentioned as sources of cyberattacks targeting the theft of intellectual property, sensitive or classified data, and credit card or financial information. It is recommended that Infoblox customers at least employ EECN to get visibility to these connections. If their organization has no requirements to engage with IP\u2019s in those countries, consider blocking it.<\/p>\n<h3>In Summary<\/h3>\n<p>Black Basta has unleashed relentless attacks on public and private sector organizations, caused significant disruptions, financial losses, and exposed sensitive data. The recent attack on ABB highlights the need for organizations to strengthen their cybersecurity measures and remain vigilant against evolving threats. By staying informed, leveraging threat intelligence and tools like protective DNS, organizations can improve their resiliency against groups like Black Basta.<\/p>\n<p>It is important to remember that DNS security (Protective DNS) is a mainstream security control. A June 2021 <a href=\"https:\/\/www.gartner.com\/en\/documents\/4002327\" target=\"_blank\" rel=\"noopener\">Gartner report<\/a> recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.<\/p>\n<p>To find out more about how Infoblox can help, please reach out to us via <a href=\"https:\/\/info.infoblox.com\/contact-form\/\" target=\"_blank\" rel=\"noopener\">https:\/\/info.infoblox.com\/contact-form\/<\/a>.<\/p>\n<ul>\n<li>Learn more about BloxOne Threat Defense <\/li>\n<\/ul>\n<ul>\n<li>Learn more about protective DNS and DNS security here: <\/li>\n<\/ul>\n<h3>IOCs Associated with Black Basta<sup>9<\/sup><\/h3>\n<h3>SHA-256<\/h3>\n<table>\n<tbody readability=\"27\">\n<tr readability=\"2\">\n<td><b>Black Basta\u2019s Ransomware Binary<\/b><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td><b>Hash<\/b><\/td>\n<td><b>Detection Name<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>01fafd51bb42f032b08b1c30130b963843fea0493500e871d6a6a87e555c7bac<\/td>\n<td>Ransom.Win32.BLACKBASTA.YXCEP<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>c9df12fbfcae3ac0894c1234e376945bc8268acdc20de72c8dd16bf1fab6bb70<\/td>\n<td>Ransom.Win32.BLACKBASTA.YACEJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>94428d7620fff816cb3f65595978c6abb812589861c38052d30fa3c566e32256<\/td>\n<td>Ransom.Win32.BLACKBASTA.YACEDT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>1cad451cedeb9967c790c1671cd2e3482de87e3e802953f28e426642894ceb7b<\/td>\n<td>Ransom.Win32.BLACKBASTA.YACEDT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>81a6c44682b981172cd85ee4a150ac49f838a65c3a0ed822cb07a1c19dab4af5<\/td>\n<td>Ransom.Win32.BLACKBASTA.YACEDT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90<\/td>\n<td>Ransom.Win32.BLACKBASTA.YXCD2<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a<\/td>\n<td>Ransom.Win32.BLACKBASTA.YXCD2<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa<\/td>\n<td>Ransom.Win32.BLACKBASTA.THDBGBB<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e<\/td>\n<td>Ransom.Win32.BLACKBASTA.THDBIBB<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be<\/td>\n<td>Ransom.Linux.BLACKBASTA.YXCFT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef<\/td>\n<td>Ransom.Linux.BLACKBASTA.YXCFJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>22c1bac3755f1d3234b44b6db3864b30c34710f997db61ba46d134c6f7f4e1ff<\/td>\n<td>Ransom.Win64.BLACKBASTA.YACFUT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>308a54f1a0cc165036d78aa618d6d4d7409eee50f536b6882550e2a7f209667c<\/td>\n<td>Ransom.Win32.BLACKBASTA.YXCFU<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Black Basta\u2019s Tools<\/h3>\n<table>\n<tbody readability=\"33\">\n<tr>\n<td><b>Hash<\/b><\/td>\n<td><b>Detection Name<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>8882186bace198be59147bcabae6643d2a7a490ad08298a4428a8e64e24907ad<\/td>\n<td>Trojan.Win32.BLACKBASTA.YXCEJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>0e2b951ae07183c44416ff6fa8d7b8924348701efa75dd3cb14c708537471d27<\/td>\n<td>Trojan.Win32.BLACKBASTA.YXCEJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>0d3af630c03350935a902d0cce4dc64c5cfff8012b2ffc2f4ce5040fdec524ed<\/td>\n<td>Trojan.Win32.BLACKBASTA.YXCEJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>df35b45ed34eaca32cda6089acbfe638d2d1a3593d74019b6717afed90dbd5f8<\/td>\n<td>Trojan.Win32.BLACKBASTA.YXCEJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc<\/td>\n<td>Trojan.Win32.BLACKBASTA.YXCEJ<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>72a48f8592d89eb53a18821a54fd791298fcc0b3fc6bf9397fd71498527e7c0e<\/td>\n<td>Trojan.X97M.QAKBOT.YXCFH<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YXCEEZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>ffa7f0e7a2bb0edf4b7785b99aa39c96d1fe891eb6f89a65d76a57ff04ef17ab<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YACEJT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>2083e4c80ade0ac39365365d55b243dbac2a1b5c3a700aad383c110db073f2d9<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YACEJT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>1e7174f3d815c12562c5c1978af6abbf2d81df16a8724d2a1cf596065f3f15a2<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YACEJT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>2d906ed670b24ebc3f6c54e7be5a32096058388886737b1541d793ff5d134ccb<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YACEJT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>72fde47d3895b134784b19d664897b36ea6b9b8e19a602a0aaff5183c4ec7d24<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YACEJT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>2e890fd02c3e0d85d69c698853494c1bab381c38d5272baa2a3c2bc0387684c1<\/td>\n<td>TrojanSpy.Win32.QAKBOT.YACEJT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a<\/td>\n<td>Backdoor.Win32.COROXY.YACEKT<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>130af6a91aa9ecbf70456a0bee87f947bf4ddc2d2775459e3feac563007e1aed<\/td>\n<td>Trojan.Win64.QUAKNIGHTMARE.YACEJT<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>c4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79<\/td>\n<td>PUA.Win32.Netcat.B<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>ac49c114ef137cc198786ad8daefa9cfcc01f0c0a827b0e2b927a7edd0fca8b0<\/td>\n<td>HackTool.BAT.RDPEnable.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a<\/td>\n<td>Backdoor.Win32.COROXY.YACEKT<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>URLs<\/h3>\n<table>\n<tbody>\n<tr>\n<td>24.178.196.44:2222<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>37.186.54.185:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>39.44.144.182:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>45.63.1.88:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>46.176.222.241:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>47.23.89.126:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>72.12.115.15:22<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>72.76.94.52:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>72.252.157.37:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>72.252.157.212:990<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>73.67.152.122:2222<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>75.99.168.46:61201<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>103.246.242.230:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>113.89.5.177:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>148.0.57.82:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>167.86.165.191:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>173.174.216.185:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>180.129.20.53:995<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>190.252.242.214:443<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>217.128.122.16:2222<\/td>\n<td>Qakbot C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>172.105.88.234:4001<\/td>\n<td>Coroxy C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>23.106.160.188<\/td>\n<td>Cobeacon C&amp;C<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Endnotes<\/h3>\n<ol>\n<li><a href=\"https:\/\/www.blackberry.com\/us\/en\/solutions\/endpoint-security\/ransomware-protection\/black-basta\" target=\"_blank\" rel=\"noopener\">https:\/\/www.blackberry.com\/us\/en\/solutions\/endpoint-security\/ransomware-protection\/black-basta<\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-blackbasta\" target=\"_blank\" rel=\"noopener\">https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-blackbasta<\/a><\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34527\" target=\"_blank\" rel=\"noopener\">https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34527<\/a><\/li>\n<li><a href=\"https:\/\/www.csoonline.com\/article\/3353416\/what-is-mimikatz-and-how-to-defend-against-this-password-stealing-tool.html\" target=\"_blank\" rel=\"noopener\">https:\/\/www.csoonline.com\/article\/3353416\/what-is-mimikatz-and-how-to-defend-against-this-password-stealing-tool.html<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/psexec<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/bits\/bitsadmin-tool\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/bits\/bitsadmin-tool<\/a><\/li>\n<li><a href=\"https:\/\/www.techtarget.com\/searchenterprisedesktop\/definition\/Remote-Desktop-Protocol-RDP\" target=\"_blank\" rel=\"noopener\">https:\/\/www.techtarget.com\/searchenterprisedesktop\/definition\/Remote-Desktop-Protocol-RDP <\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-blackbasta\" target=\"_blank\" rel=\"noopener\">https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-blackbasta<\/a><\/li>\n<li><a href=\"https:\/\/documents.trendmicro.com\/assets\/txt\/IOCs_BlackBasta_Spotlight-1gMstIg.txt\" target=\"_blank\" rel=\"noopener\">https:\/\/documents.trendmicro.com\/assets\/txt\/IOCs_BlackBasta_Spotlight-1gMstIg.txt<\/a><\/li>\n<\/ol>\n<p> <a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/black-basta-anatomy-of-the-attack\/\">Infoblox Original<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In the constantly evolving realm of cyber threats, new<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[72,58,62,61,42,63],"tags":[73,65,69,68,50,70],"class_list":["post-1242","post","type-post","status-publish","format-standard","hentry","category-black-basta","category-cyber-threat-intelligence","category-dns-security","category-protective-dns","category-security","category-threat-intelligence-feeds","tag-black-basta","tag-cyber-threat-intelligence","tag-dns-security","tag-protective-dns","tag-security","tag-threat-intelligence-feeds"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Infoblox","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/infoblox\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/black-basta\/\" rel=\"category tag\">Black Basta<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-threat-intelligence\/\" rel=\"category tag\">Cyber Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns-security\/\" rel=\"category tag\">DNS Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/protective-dns\/\" rel=\"category tag\">Protective DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/security\/\" rel=\"category tag\">Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-intelligence-feeds\/\" rel=\"category tag\">Threat Intelligence Feeds<\/a>","tag_info":"Threat Intelligence Feeds","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1242"}],"version-history":[{"count":1,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1242\/revisions"}],"predecessor-version":[{"id":1348,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1242\/revisions\/1348"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}