Best of 2025: Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats
The leaked internal chat communications of the Black Basta ransomware group offer an unprecedented view into how cybercriminals operate, plan attacks, and evade detection.
Best of 2025: Scattered Spider Targets Aflac, Other Insurance Companies
The leaked internal chat communications of the Black Basta ransomware group offer an unprecedented view into how cybercriminals operate, plan attacks, and evade detection.The Veriti Research team analyzed these chat logs, revealing our favorite exploits, security measures they bypass, and the defenses they fear most.Veriti Research analyzed these chat communications, exposing:Targeted Exploits: Black Basta focuses on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, Fortinet firewalls, and Active Directory.Security Evasion Techniques: They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence in compromised networks.Cloud-Based Attacks: The group leverages cloud services for malware hosting, remote access, and command-and-control (C2) infrastructure.Threat Intelligence Awareness: Attackers are keenly aware of security blacklists (Spamhaus, Rapid7) and adjust their tactics to evade detection.Security Defenses That Work: Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations.Vulnerabilities & ExploitsESXi VulnerabilitiesThe actors discussed a compromised ESXi system that accepted any password, suggesting they targeted misconfigured or vulnerable VMware ESXi servers.They mentioned gathering IP addresses related to Jenkins, which could indicate attempts to exploit misconfigured Jenkins instances.Citrix & VPN Exploitation.They shared Citrix VPN credentials, suggesting interest in compromised VPNs and remote access points:The evidences from the discussions shows that the group got access to networks in Mexico, Spain, and US using the two above vulnerabilitiesFortinet VPN ExploitsExploits related to Fortinet firewalls and VPNs were referenced – Attackers used Fortinet vulnerabilities to gain access to corporate networksProxyShell & Exchange Server ExploitsDiscussion about Exchange Server vulnerabilities:CVE-2022-41082, CVE-2021-42321, CVE-2021-28482, CVE-2021-26855 но они старые Confirms historical ProxyShell exploitation for Microsoft Exchange Server attacks.Zero-Day & Linux Privilege EscalationLinux LPE Exploits (CVE-2024-1086)A zero-day Linux privilege escalation vulnerability was discussed:CVE-2024-1086 Linux LPEText from the chat: Универсальный эксплойт для повышения локальных привилегий, работающий на большинстве ядер Linux между версиями 5.14 и 6.6, Debian, Ubuntu. This indicates targeting of Linux systems for privilege escalationBrute-force on vCenter & ESXiActors tested brute-force attempts against ESXI – 5 попыток но только с root“vCentre – 4 попытки потом просто надо сбрасывать и заново авторизован”This confirms brute-force attacks on ESXi/vCenter servers to gain admin access.Jenkins ExploitationExploiting Jenkins servers for Remote Code Execution (RCE):nginx“jenkins эксплоит все что делает, это отображает содержание файла” Suggests leverage of Jenkins misconfigurations to exfiltrate credentials and secrets.Fortinet VPN & Firewall ExploitationWeak administrator passwordsExposed Fortinet SSL VPN portalsBlack Basta targeted a range of vulnerabilities across VMware ESXi, Citrix VPNs, Fortinet firewalls, Exchange Servers, Jenkins, Active Directory, and RDP.They obtained targeted IPs from sources like FOFA, Shodan, and compromised credentials.Security Products discussions:Black Basta actors frequently discussed security products, including firewalls, endpoint detection and response (EDR) solutions, web application firewalls (WAFs), and cloud security products. Here’s what they mentioned:Discussions on FirewallsOne of the operators of BlackBasta suggested misconfigured inbound firewall rules might allow bot traffic:может firewall на inbound не настроен Implication: They were likely probing firewall settings to find misconfigurations.An operator suspected that a firewall might be blocking access to a compromised target:может firewall стоит? Implication: Indicates attempts to bypass firewall restrictions.Discussions on Endpoint Detection & Response (EDR)Multiple EDR solutions was a part of discussions on bypassing or neutralizing these security solutions.Techniques to bypass EDRВступить в априорно неравный бой с EDR: анхукать библиотеки, криптовать свой арсенал до посинения, жить с sleep 100500, выполняя по одной команде в сутки. Implication: Attackers unhook security libraries, encrypt their tools, and minimize execution footprints to evade detection.Targeted EDR VendorsEDR killer update. Bitdefender, Sentinel, CrowdStrike, Windows Defender 10/11, Webroot, Kaspersky, Symantec, Sophos.Implication: They likely had a malware component specifically designed to disable multiple EDRs.Web Application Firewalls (WAFs)Discussions suggested manipulating web requests to evade Cloudflare and other WAFs:алгоритм как я с C2 общаюсь зареверсили и типо такие же запросы как боты отправляют автоматизированоImplication: Attackers reverse-engineered Cloudflare’s bot detection mechanisms to mimic legitimate traffic.Cloud Security & ServicesDiscussions included compromising cloud environments:Implication: Suggests interest in cloud account takeovers or invoice fraud.RDP logins to cloud-based systems:Security Solutions Discussed by Black BastaCategoryProducts MentionedContextFirewallsFortinet, Check Point, Palo Alto Security, JuniperExploiting misconfigurations, bypassing restrictionsEDRsCrowdStrike, SentinelOne, Bitdefender, Kaspersky, SophosDeveloping EDR killers, evasion techniquesWAFsCloudflareMimicking legitimate traffic to bypass defensesCloud SecurityAWS, Azure, Google CloudTargeting cloud accounts, remote access exploitationBlack Basta actors showed significant awareness of modern security defenses and actively worked to bypass them.Firewall Evasion Techniques Used by Black BastaBlack Basta discussed several methods to bypass or exploit firewalls, including zero-day exploits, SSH tunneling, proxychains, and misconfiguration abuse.Exploiting Firewall VulnerabilitiesJuniper SRX Firewall Unauthenticated RCEThey purchased or used a zero-day exploit for Juniper SRX firewalls, which granted root-level access.Juniper SRX Firewall Unauthenticated RCE – the attacker used shodan as one of the recon toolsFortinet FortiOS RCE (CVE-2024-21762)Discussion on Fortinet firewall remote code execution focusing on FortiOS RCE (CVE-2024-21762)”Implication: Attackers used known Fortinet exploits to bypass authentication and execute commands remotely.Palo Alto GlobalProtect RCE (CVE-2024-3400)Command injection vulnerability in Palo Alto GlobalProtect - GlobalProtect RCE (CVE-2024-3400)”Implication: This bypass allowed remote execution of commands on vulnerable Palo Alto firewalls.“CVE-2024-3400 PALO ALTO PAN-OS RCESHODAN 43k https://www.shodan.io/search?query=+http.favicon.hash%3A-631559155This is WORKING EXPLOIT for the vulnerability patched yesterday (15.04), shit on the Github is fake or not working.It gives root permissions on the target machine.PRICE IS 15k. 3 copies to sell total.You put target and command.It will autoencode in base64 and send request with some headers that make the exploit.“————————————————————————————————————————————Abusing Firewall MisconfigurationsIdentifying Open Ports & Misconfigured FirewallsAttackers discussed firewall misconfigurations allowing unauthorized access:“может firewall на inbound не настроен”Implication: They attempted to find and exploit improperly configured inbound firewall rules.Firewall Evasion Techniques Used by Black BastaMethodDetailsExampleExploiting firewall vulnerabilitiesUsed zero-days for Juniper, Fortinet, and Palo Alto firewallsCVE-2024-21762, CVE-2024-3400Proxychains & SSH tunnelingRouted traffic through compromised SSH serversproxychainsAbusing misconfigured firewallsLooked for open ports & misconfigurationsInbound firewall misconfigurationWAF evasionMimicked bot traffic to bypass detectionReverse-engineering WAF requestsDisabling firewalls manuallyUsed PowerShell & netsh commands to disable Windows firewallsnetsh advfirewall set allprofiles state offBlack Basta demonstrated advanced firewall exploitation capabilities, using a mix of zero-day vulnerabilities, automated scanning, and exploit purchases.Firewall TargetedExploited VulnerabilityAttack VectorPrivilege GainedExploit SourceJuniper SRXZero-click RCECommand injection, web exploitRoot accessShodan scanning, PHP payloadsFortinet FortiOSCVE-2024-21762Out-of-bounds writeFull remote code executionCustom exploit scriptsPalo Alto GlobalProtectCVE-2024-3400Command injectionRoot accessPurchased for $15,000————————————————————————————————————————————Discussing taking data from IPSBlack Basta’s Exfiltration of Intrusion Prevention/Detection System (IPS/IDS) DataBlack Basta actors discussed stealing logs, bypassing detection systems, and manipulating SIEM solutions to evade forensic analysis and security monitoring.IDS/IPS Log ExfiltrationAttempt to access and extract security logs from an IDS system:“надо будет еще потом когда пробьем эксплойтом их запросить в локальной сети сервер или нет” Implication: They planned to check for IDS/IPS logs on local network servers after gaining access.Testing IPS Responses & Adjusting AttacksThey actively monitored IPS detection and adapted their methods:“если палит ips, то надо резать пакеты”Translation:“If the IPS detects it, we need to cut up the packets.”————————————————————————————————————————————Discussion on Firewall capabilitiesBlack Basta actors extensively discussed the capabilities, strengths, and weaknesses of different firewall products, including Juniper, Fortinet, and Palo Alto. Their conversations focused on firewall configurations, vulnerabilities, and ways to bypass protections.1. Juniper Firewall CapabilitiesThey analyzed JunOS firewall capabilities, highlighting security mechanisms like Veri-Exec and read-only filesystems:pgsqlJunOS is an operating system based on FreeBSD developed by Juniper networksto run on firewall/vpn devices. This OS manages the device and is responsiblefor operating services. The device is secured in multiple ways like usingread-only file systems for packages/binaries in the system as well as veri-execwhich disables executing unsigned or unknown binaries.Implication: They researched and documented JunOS security mechanisms before attempting an exploit.Weakness in Juniper’s Web Management InterfaceThey identified a logic bug in Juniper’s Web Device Manager (Embedthis Appweb web server)Appweb executes CGI scripts/binaries using the CGI/1.1 standard, but it messes up when exporting environment variables for said scripts/cgis. This appears to be fixed in the latest version of the web server but the version JunOS uses are affected.Implication: Juniper’s outdated Appweb implementation was identified as a security risk .Shodan Queries for Juniper DevicesThey used Shodan to locate exposed Juniper SRX devices:perl2. Fortinet Firewall CapabilitiesThey referenced Fortinet firewall documentation while planning an attackFortinet FortiOS RCE (CVE-2024-21762)A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 6.4.14…Allows attacker to execute unauthorized code or commands.Implication: They analyzed Fortinet security updates and tracked potential exploits.Fortinet VPN DiscussionA conversation about Fortinet VPN authentication mechanismsа мне от форти нужноImplication: They were likely attempting to bypass Fortinet’s VPN security.3. Palo Alto Firewall CapabilitiesThey mentioned Palo Alto’s security posture and visibility:вот как это видят те, кто хостит palo alto Implication: This suggests attackers were monitoring how Palo Alto firewall administrators detect intrusions.Attempt to Execute Commands in PAN-OS CLIA message indicated attempts to access Palo Alto’s command-line interface (CLI):сть какой-то доступ к panos cli? Implication: They sought CLI-level access to manipulate firewall rules or disable logging.4. General Firewall DiscussionsAttackers discussed firewall detection and bypass techniques:может firewall на inbound не настроен Implication: They checked for misconfigured inbound rules as a possible entry point.Cloudflare Firewall WeaknessesThey referenced Cloudflare’s ability to detect bot traffic:алгоритм как я с C2 общаюсь зареверсили и типо такие же запросы как боты отправляют автоматизировано Implication: Attackers reverse-engineered Cloudflare’s bot detection to bypass its protections.Firewalls Discussed & Their CapabilitiesFirewallCapabilities DiscussedWeaknesses IdentifiedImplicationsJuniper SRXJunOS security features, Appweb web serverWeb interface logic bugs, outdated Appweb versionAttackers exploited JunOS weaknesses to gain root accessFortinet FortiOSFortinet VPN security, admin access controlKnown RCE vulnerabilities (CVE-2024-21762), misconfigurationsAttackers had root credentials for Fortinet firewallsPalo AltoFirewall visibility & CLI accessPotential CLI command executionAttackers tested PAN-OS command executionCloudflareBot detection & traffic filteringReverse-engineered bot detectionAttackers mimicked bot traffic to evade detectionKey TakeawaysJuniper SRX – Attackers understood its security mechanisms and found vulnerabilities in outdated web components.Fortinet FortiOS – They tracked exploits, obtained admin credentials, and looked into VPN security.Palo Alto PAN-OS – They tested command execution in the firewall’s CLI.Cloudflare – They reverse-engineered bot detection to evade firewall rules.—————————————————————————————————————————————OS Level discussionsBlack Basta actively targeted Local Security Authority (LSA) and LSASS (Local Security Authority Subsystem Service) to extract Windows credentials, NTLM hashes, Kerberos tickets, and DPAPI keys. Their discussions and actions suggest systematic exploitation of Windows authentication mechanisms.LSA & LSASS DumpingThey successfully dumped LSA secrets, machine account hashes, and DPAPI keys:vbnetImplication: They used LSASS memory dumping or registry extraction to obtain:Machine account credentialsDefault plaintext passwordData Protection API (DPAPI) system keys, used to decrypt stored credentials.NTLM Hash & SAM Database ExtractionThey exfiltrated NTLM hashes from the SAM database:cssImplication: NTLM hashes can be used for Pass-the-Hash (PtH) attacks .LSASS Dumping & Mimikatz Usage – LSASS Memory Dump & Offline AnalysisThey used Mimikatz and LSASS dumping techniques:lua“Скачиваете dmp файл с вашим названием которое у вас будет, и вот пример запуска скрипта: `python3 dump-restore.py QTNTAPPVCS_10102023_09-32.dmp –type restore`и тогда вы можете открыть этот дамп LSASS” Implication: This suggests they dumped LSASS memory and analyzed it offline using Mimikatz or custom scripts.Kerberos Ticket Extraction from LSASSThey extracted Kerberos tickets from LSASS memory:csharpImplication: Attackers harvested Kerberos tickets for Pass-the-Ticket (PtT) attacks.Attempt to Move Laterally Using Extracted CredentialsThey tested extracted credentials on a Domain Controller:scss“с этой учеткой попробовал зайти на дц(в момент захода отвалилось)” Implication: They used dumped LSA credentials for lateral movement.ConclusionLSA & LSASS Exploitation Techniques UsedTechniquePurposeExampleLSASS DumpingExtract plaintext passwords, NTLM hashes, and Kerberos ticketsMimikatz + LSASS dump restorationNTLM Hash ExtractionUse for Pass-the-Hash (PtH) attacksDumped NTLM hash of AdministratorKerberos Ticket TheftConduct Pass-the-Ticket (PtT) attacksExtracted cached Kerberos tickets from LSASSDPAPI Key TheftDecrypt stored Windows credentialsDumped DPAPI system keys from LSABlack Basta heavily relied on LSASS dumping, NTLM hash extraction, and Kerberos ticket harvesting to escalate privileges and move laterally in compromised networks.Black Basta’s Use of MSDT (Follina) Vulnerability (CVE-2022-30190)Black Basta actors discussed and potentially used the MSDT (Follina) vulnerability in their operations. Their discussions included references to exploits, HTML-based payloads, and remote code execution via Microsoft Office documents.Evidence of Follina Exploitation (CVE-2022-30190)Black Basta members listed Follina (CVE-2022-30190) as a key exploitFollina (CVE-2022-30190)Log4Shell (CVE-2021-44228)Spring4Shell (CVE-2022-22965)F5 BIG-IP (CVE-2022-1388)Google Chrome zero-day (CVE-2022-0609)Implication: Follina was among their most valuable exploits, indicating active use or intent to use it.2. HTML-Based MSDT ExploitThey shared a simple HTML-based attack leveraging Follina:html<html><body><script>function exploit() {document.location = “ms-outlook://run-malicious-code”;}</script><img src=”x” onerror=”exploit()” /></body></html>Implication: This suggests they used or modified public exploits for Follina, likely to bypass security tools.3. Black Basta’s Use of Microsoft Office Macros & FollinaThey discussed using a specially crafted document to exploit CVE-2022-30190:“не нужен макрос, просто ссылка в docx, и все – код исполняется” Translation: “No macro needed, just a link in the DOCX, and the code executes.”Implication: They leveraged Microsoft Office documents with embedded links to trigger MSDT without user interaction.4. Weaponization & Automation of MSDT ExploitA request for automation of exploit document generation:оба сделай Translation: “Make both x64 and x86 versions.”Implication: Indicates an effort to generate exploit variants for different Windows architectures.No Need for DLL SideloadingThey confirmed that the exploit didn’t require additional payloads:та тут длка не нужна Translation: “No DLL needed here.”Implication: Suggests they found a way to execute malicious code directly using MSDT, without needing extra DLL sideloading.Black Basta discussed and likely used the Follina (CVE-2022-30190) vulnerability in their attack chains. Their discussions highlight:Reliance on MSDT for Remote Code Execution (RCE)Use of HTML-based exploits to launch attacks.Embedding Follina payloads in Office documents for macro-less execution.Efforts to automate exploit generation across x64 and x86 architectures.Black Basta’s Use of Restricting Anonymous Enumeration BypassBlack Basta discussed and explored methods to bypass anonymous enumeration restrictions in Windows environments, particularly focusing on Active Directory (AD), orphaned SIDs, and enumeration of SMB/NetBIOS shares.Bypassing Windows RestrictAnonymous SettingsBlack Basta discussed limitations when anonymous enumeration is disabled:“У кого-то пробивалось, когда RestrictAnonymous = 1 ?” Translation:“Has anyone managed to get through when RestrictAnonymous = 1?”Implication: They actively tested methods to bypass Windows enumeration restrictions.————————————————————————————————————————————Black Basta’s External Reconnaissance TechniquesBlack Basta engaged in external reconnaissance (OSINT) before attacking a network, using tools like Shodan, Censys, FOFA, and Zoomeye to scan public-facing assets, find vulnerabilities, and gather intelligence on exposed services.1. Scanning Public-Facing Assetsщас я поставлю на скан это Translation:“Shodan and FOFA — I’m setting up a scan now.”Implication: They automated scanning for exposed services .Searching for specific domains and IPs:я в censys вбивал доменTranslation:“I entered the domain into Censys.”Implication: Attackers used domain-based reconnaissance to identify linked infrastructure.2. Identifying Vulnerable ServicesThey collected credentials for various VPN and remote access services:rubyImplication: Attackers searched for public VPN portals and tested leaked credentials .Shodan queries for identifying vulnerable targets:perl“Targets can be found with google dork/shodan/censys?Yes. Below shodan query:http.html:”<script src=”/dana-na/””Black Basta used OSINT and automated reconnaissance tools to identify exposed assets before launching attacks.TechniquePurposeExampleShodan, FOFA, Censys ScanningIdentify exposed servicesAutomated scan setupBrute-Force Subdomain EnumerationFind hidden servicesRecursive port & subdomain scanningVPN & Remote Access TargetingExploit misconfigured VPNsCollected VPN credentialsCloud & Virtualization TargetingIdentify exposed ESXi & Jenkins instancesExported cloud infrastructure scans—————————————————————————————————————————————Attacks from and to the cloudBlack Basta leveraged cloud services to launch attacks, exfiltrate data, and host malware. They used cloud infrastructure for command-and-control (C2), remote access, and initial footholds in target networks.1. Cloud Infrastructure for Malware HostingBlack Basta set up virtual private servers (VPS) to distribute malware:Implication: They deployed malware distribution points on cloud servers, likely used for phishing campaigns .Malware hosted on a cloud server:Implication: They hosted malicious payloads on a rented cloud VPS, making it harder for defenders to track them.2. Cloud-Based Command & Control (C2)DNS beacon configurations suggest C2 operations—————————————————————————————————————————————IoCs and FeedsBlack Basta actively discussed methods to evade detection based on Indicators of Compromise (IoCs). They analyzed hash evasion, IP reputation bypass, Suricata/Sigma rule evasion, and modifying attack patterns to stay undetected.1. Hash & File Signature EvasionAttackers used automated hash-changing techniques:ну md5 шлепает раз в 10 секунд, уже пробовали? Translation:“Well, it changes the MD5 every 10 seconds, have you tried it?”Implication: They implemented an automated process to alter malware hashes, making static detection ineffective.2. IP & Domain Reputation EvasionAttackers used dynamic IPs to bypass reputation-based blocking:айпишник меняется каждые 30 минут, если палят. Translation:“The IP changes every 30 minutes if it gets flagged.”Implication: They set up automated IP rotation to avoid blocklisting.Black Basta’s Discussions on Threat Intelligence FeedsBlack Basta members discussed multiple threat intelligence feeds and how they affected their operations. They specifically mentioned Spamhaus, Rapid7, and PT Security, and shared concerns about blacklists, IP reputation tracking, and detection mechanisms.1. Threat Intelligence Feeds MentionedThreat Intelligence FeedTimes MentionedContext of DiscussionSpamhaus2IP reputation blacklistingRapid72SIEM-based behavior analysis & detectionPT Security (Positive Technologies)1Research on non-standard attack vectorsHuman Security Satori1Malware detection & trackingMalwarebytes Threat Intelligence1Discussion on Pikabot malware detectionsEvasion & Concerns About Intelligence FeedsAttackers discussed Spamhaus blocking their infrastructure15.204.49.234 – чистый91.132.139.169 – грязный (Spamhaus)Spamhaus – это все ( сразу полный пиздецTranslation:“15.204.49.234 – clean91.132.139.169 – dirty (Spamhaus)Spamhaus means game over instantly.”Implication: Spamhaus blacklisting significantly impacted their operations, forcing them to rotate IPs.Black Basta’s Concerns About Security Products, Intelligence Feeds & DefensesBlack Basta members discussed several challenges posed by security products, threat intelligence feeds, and defensive mechanisms. Their primary concerns included endpoint detection & response (EDR) evasion, firewall issues, IP reputation tracking, and automation in security solutions.Concerns About Security ProductsSecurity ProductConcerns & ChallengesExampleSentinelOneDetection of payload execution, bypass failuresPayload flagged immediatelyCrowdStrikeRapid SOC alerting & behavior-based detectionFalcon detects abnormal process spawningMicrosoft DefenderStrong signature-based detection, bypass difficultiesSigned loaders fail, AV catches process injectionTrend MicroFalse positives affecting operationsDetection even without known malware signaturesPalo Alto NetworksGlobalProtect VPN detection blocking remote accessCloud-based Palo Alto blocks unauthorized tunnelsFortinetFirewall policies preventing initial accessFortiGate blocks suspected traffic quicklyComodoAggressive detection of unsigned binariesUnsigned payloads fail against Comodo securityRapid7Behavioral analytics in SIEM blocking lateral movementSIEM rules block unexpected admin logins2. Concerns About Threat Intelligence FeedsThreat Intelligence FeedConcerns & ChallengesExampleSpamhausIPs getting blacklisted quickly, requiring rotationBlacklisting leads to immediate shutdown of infrastructurePT Security (Positive Technologies)Publication of attack vectors reducing exploit successPT Security research leaks information on attack methodologiesHuman Security SatoriIdentifying malware infrastructure, forcing adjustmentsSatori tracking payloads, requiring obfuscation3. Concerns About Defense CapabilitiesDefense MechanismConcerns & ChallengesExampleFirewall RestrictionsBlocking C2 communications & VPN connectionsFortinet & Palo Alto firewalls cutting off accessEDR HeuristicsDetecting unusual execution patternsSentinelOne & CrowdStrike flagging new persistence methodsCloud Security PoliciesLocking down RDP & blocking lateral movementAzure & AWS security rules preventing lateral RDP attacksThreat Intelligence AutomationRapid sharing of new IoCs & IP blacklistingSpamhaus & Rapid7 blocking attack infrastructure within hoursBlack Basta Operations Disrupted by Security ControlsBlack Basta experienced multiple failed or disrupted operations due to security defenses, including firewalls, EDR detections, SIEM analytics, and IP blacklists. These incidents forced them to abandon attacks, change tactics, or reconfigure their infrastructure.—————————————————————————————————————————————Firewall & Network Security Blocking OperationsSeveral remote desktop (RDP) and VPN sessions were blocked, halting accessImplication: Organizations implemented strict RDP access controls, blocking their remote sessions.Firewall Blocking Command & Control (C2)Firewalls prevented outbound connections, disrupting their botnet:ну мой сервак не подключается к тебе получается Translation:“Well, my server isn’t connecting to you.”Implication: Firewalls blocked outbound C2 connections, stopping communication between infected systems .Attempts to reconfigure firewalls to bypass blocking:проапдейтим firewall Translation:“We’ll update the firewall.”Implication: They attempted to adjust their network settings to bypass security rules.—————————————————————————————————————————————SIEM & Threat Intelligence Disrupting OperationsSpamhaus blacklisted their infrastructure, cutting off operations91.132.139.169 – грязный (Spamhaus)Spamhaus – это все ( сразу полный пиздец Translation:“91.132.139.169 – dirty (Spamhaus).Spamhaus means game over instantly.”Implication: Being flagged by Spamhaus rendered their infrastructure useless, forcing them to rotate servers.Black Basta’s Operations Disrupted by Security Controls & Their ReactionsBlack Basta members faced multiple instances where security products, firewalls, and EDR solutions disrupted their attacks. They expressed frustration, anger, and sometimes panic when security defenses blocked payloads, detected malware, or cut off access.Operations Stopped by Security ControlsSecurity ControlImpact on AttackExampleFirewalls (Fortinet, Palo Alto)Blocked RDP & C2 connections“Firewall blocks inbound, can’t connect”Symantec Endpoint ProtectionOutgoing connections blocked**”Falcon, no way to attack 🙁SentinelOne EDRStopped malware execution“S1 just kills everything. No way to get past without custom bypass.”CrowdStrike FalconDetected process injections“Falcon sees everything. Fucking hell.”Trend Micro XDRBlocked lateral movement“Trend catches it even without a signature. What the fuck?”Cisco Secure EndpointKilled payload on execution“Cisco blocked the entire payload. Need another approach.”Microsoft DefenderAV detections breaking persistence“Windows Defender Endpoint clean? Impossible.”Frustration & Anger at Getting CaughtSymantec blocking outbound connectionsFalcon, no way to attack 🙁 | outgoing connection blocked by SymantecImplication: Attackers were frustrated that Symantec prevented outbound C2 connections.SentinelOne’s aggressive detections:S1 просто убивает всё. Никак не обойти без своего обхода. Translation:“S1 just kills everything. No way to get past without custom bypass.”Implication: They were angry that SentinelOne blocked their tools completely.Black Basta expressed anger and frustration when their operations were blocked by firewalls, EDRs, SIEMs, and endpoint security solutions.What Stopped Them?ReactionSentinelOne EDR“It kills everything. No way around it.”CrowdStrike Falcon“Falcon sees everything. Fucking hell.”Symantec Endpoint“No way to attack, outbound blocked.”Trend Micro XDR“How does it catch this? It shouldn’t.”Cisco Secure Endpoint“Cisco blocked the whole payload.”Firewalls (Palo Alto, Fortinet)“Firewall blocks inbound, can’t connect.”Operations Stopped Due to Security ControlsSecurity Product / ControlIssue & ConsequenceExampleFirewall (Inbound Rules)Prevented connection to their command-and-control (C2) server“ну мой сервак не подключается к тебе” (my server can’t connect to you)SIEM (Rapid7 InsightIDR)Behavior-based analytics blocked lateral movement“Rapid7 расставляет ловушки и ловит нелегальные вторжения” (Rapid7 sets traps and detects unauthorized intrusions)SentinelOne & CrowdStrikeBlocked execution of malware loaders“фалкон не поддержтвается” (Falcon is not supported, meaning bypass failed)Cisco Secure EndpointKilled beacon connection, preventing persistence“это Cisco Endpoint Security” (This is Cisco Endpoint Security stopping it)Trend Micro XDRUnexpected false positives & inconsistent detection behavior“там у тренд микро разные” (Trend Micro has different detection methods, it’s unpredictable)Anger & Frustration Over Being DetectedFrustrated StatementContextImplication“ЖОООСТКО” (F***ing brutal!)Reaction to failed evasion attemptAttack was blocked“Вступить в априорно неравный бой с EDR” (Engaging in an unfair fight with EDRs)Complaints about difficulty bypassing securityRequired extensive obfuscation to work“каждый шаг как последний” (Every step feels like the last)Fear of detectionThey struggled to remain undetected“бля проверить хотел хуйню одну” (Damn, I wanted to test something!)Failed execution of a payloadSecurity controls blocked their test“боты живые?” (Are the bots still alive?)Checking if EDRs killed their malwareFear of losing accessFrustrations When Caught by Security ProductsA member was frustrated after being blocked by multiple EDRs:я норм прыгал на рапид. проблем не было. не давал читать карбон и типа фалкон сотоварищи Translation:“I was moving fine on Rapid, but Carbon Black and Falcon (CrowdStrike) didn’t allow execution.”Implication: SentinelOne, Carbon Black, and CrowdStrike blocked execution attempts, causing setbacks.McAfee Causing Issues Across Multiple SystemsMcAfee’s presence annoyed them:макафи ещ в довесок везде Translation:“McAfee is everywhere too, as an extra problem.”Implication: They found McAfee difficult to bypass, indicating widespread deployment.Trend Micro’s Unreliable ScanningFrustration over Trend Micro’s inconsistent detections:там проверка хуй пойми Translation:“That check is f***ed up.”Implication: They found Trend Micro’s detection mechanism unpredictable, making evasion difficult.—————————————————————————————————————————————Black Basta’s Collection of Vulnerability Data from Security ScannersBlack Basta actively sought and collected vulnerability data from various security scanners, including Nessus, Qualys, and Rapid7 Nexpose. They used this information to identify exploitable weaknesses and tailor their attacks accordingly.Using Public Exploit ScannersAttackers used open-source scanners to find vulnerable systems:с шодана Translation:“From Shodan.”Implication: They collected vulnerability data using Shodan to identify exposed systems.Targeting Misconfigured Nessus & Qualys ScannersThere were indications they searched for misconfigured scanners:можно поставить на скан Translation:“We can set up a scan.”Implication: They may have attempted to exploit misconfigured Nessus or Qualys instances .The insights gained from Black Basta’s leaked chat logs serve as a wake up call for organizations worldwide. These attackers are not casual hackers—they are highly coordinated, well funded, and continuously refining their methods.However, our research also reveals clear opportunities to disrupt their operations:Patching vulnerabilities remains the #1 defense. Many of Black Basta’s successful intrusions stem from known exploits (CVE-2024-1086, CVE-2024-21762, ProxyShell, Follina, Fortinet RCEs, etc.) that organizations fail to patch.EDR solutions like CrowdStrike, SentinelOne, and Trend Micro are major barriers to attackers. Black Basta members frequently complain about EDR detections, process injections being blocked, and their malware failing to execute.Firewalls and SIEM analytics are major roadblocks. Attackers struggle when firewalls block RDP sessions, SIEM solutions detect lateral movement, or threat intelligence platforms blacklist their infrastructure.Cloud security remains an underestimated risk. Black Basta abuses AWS, Azure, and Google Cloud for malware distribution and remote access, highlighting the need for strong cloud monitoring and access controls.Cybercriminals like Black Basta thrive on misconfigurations, unpatched systems, and weak security policies. Organizations that stay ahead of emerging threats, enforce strict access controls, and deploy behavior based security solutions will have the best chance of stopping these attacks before they escalate.The post Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats appeared first on VERITI.
About Author
