Dive Brief:
- Black Basta ransomware has targeted healthcare and other critical infrastructure providers in recent months, impacting more than 500 organizations around the world as of this month, the FBI and Cybersecurity and Infrastructure Security Agency warned Friday in a joint advisory with the Department of Health and Human Services and MS-ISAC. The alert comes just after a ransomware attack hit Ascension, a major healthcare provider that was forced to divert patients last week.
- Black Basta ransomware has targeted 12 of the 16 government designated critical infrastructure sectors. Federal authorities have also linked the ransomware-as-a-service group to exploitation of critical vulnerabilities in ConnectWise ScreenConnect since February.
- Black Basta is using a social-engineering campaign to target managed detection and response security tool users, according to research released Friday by Rapid7. Users have been prompted to download remote management tools, such as AnyDesk or Microsoft’s Quick Assist feature.
Dive Insight:
The warnings come amid a string of escalating attacks against hospitals and public health organizations.
Black Basta was previously linked to threat activity involving exploitation of critical vulnerabilities in ConnectWise ScreenConnect. Researchers from Trend Micro linked Black Basta to exploitation of CVE-2024-1709, a critical vulnerability with a CVSS score of 10.
Beyond healthcare, Black Basta has targeted utilities and manufacturing, Laurie Iacono, North American threat intel lead at Kroll Cyber Risk, said via email.
Black Basta has made multiple attempts to launch social engineering attacks since April, Rapid7 said.
“As part of our investigation into these social engineering events, Rapid7 observed both host-based and network-based indicators that were consistent with other Black Basta ransomware cases we had previously investigated,” Robert Knapp, senior manager, incident response services at Rapid7, said via email.
Rapid7 researchers also identified overlap with activity cited in the CISA advisory.