Intelligence Driven Threat Actor Analysis BlackBasta and Affiliates - Daniel Hayman

okay so hi everyone um welcome to the talk on intelligence-driven threat actor analysis blackbuster and

Affiliates uh so today I will outline uh some findings from a work in progress study which details the financially motivated threat actor black bastter and includes an analysis of what cyber threat intelligence can inform Security Professionals I'll Al offer some recommendations based on the findings to support organizations that may be looking to improve their uh or Advanced cyber security program so who am I my name is Dan Heyman I'm an intelligence operations analyst I undergo weekly threat hunts in uh customer environments I'm responsible for distilling millions of intelligent Le Network events into actionable insights and notification notifications uh for C's customer base so today for reference cyber threat intelligence refers to the concept of creating analyzing and contextualizing

information concerning entities that may pose a threat to you or an organization to to uh today or in the future technical cyber threat intelligence may be published in feeds which cyber security organizations like syal typically pay to have access to these feeds group threat uh indicated types such as IP domain URLs hashes the likes together technical cyber threat intelligence feeds may be categorized by cyber threat tactics uh and are genuinely updated in real time the speeds of which speeds are updated reflects threat actor activity and the prediction and response of the security community's research they provideed an important tool for cyber Security Professionals to prompt detect and responds to threat actor activity operational cyber threat intelligence is

information that uh details the nature intent and timing of threats typically studied as tactics techniques and procedures so uh who are black baster so black baster is a Russia linked financially motivated threat actor first identified in April 2022 which operates a ransomware as a service model blackbuster typically or blackb and Affiliates typically utilize uh novel social engineering techniques and double extortion tactics to carry out sophisticated cyber attacks for example employing seemingly non-malicious legitimate newsletter infrastructure blackbuster and Affiliates sign up an organizations Workforce on mass to overwhelm uh the target it systems with confirmation emails then black baster and the Affiliates may call the workforce directly impersonating someone from it and offering a solution to the on slau

of spam emails once black baster has achieved handson uh keyboard access typical subsequent activity revolves around internal Recon lateral movement privileg escalation before actions on [Music] objectives black baster and Affiliates have demonstrated a level of of operational maturity a little more on this in the next few slides commonly appearing in the top 10 lists of ransomware threat actors rehearsing and conducting double extortion attacks their attacks have a reported minimum 35% uh success rate a payout success rate the largest of which was $9 million us averaging about $1.2 million us short dwell times as low as 2 to 3 days um which is in line with recent reports suggesting improved detections uh forces Maneuvers uh forces threet

actors to maneuver faster so recently according to uh a group IB report that was issued January this year during November and December uh last year covering Europe alone there was a 125% increase in attx um this report makes them or in this report it makes them the most active ransomware threat actor for that time within Europe possibly one of the larger names who became a victim in the is the confering division of BT group over in the UK uh who who confirmed a Cyber attack to recorded future news on the 4th of December since the start of this year though reports are that black baster activity has declined uh just two days ago reports surfaced that a group member leaks their

internal chat logs um on the dark web uh during the previous week the leaker claimed they released the data in retaliation uh for the group targeting Russian Banks this mirrors 2022 contines although not by motive um where chat logs were exposed online due to internal disputes leading to the group's rapid disb disbandment shortly after con's collapse black bastter emerged in April 22 um history may be repeating itself keep an eye on this space or specifically perhaps a couple of these Twitter handles from [Music] foda so following that uh chat log leak some colleagues over at Hudson Ro actually uploaded all of that uh web uh chat log information into a chat GPT instance allowing researchers to explore

that data because it was all in Russia mostly in Russian I asked black bastter GPT can you briefly describe the state of operational Affairs and team morale based on these chogs the response resembled uh that of a typical startup or workplace so we have uh technical issues and workarounds we have evidence of sense of urgency where messages reflect an urgency to deliver results pushing for specific deadlines tensions and disputes disputes conflicts over work progress and deception um with an overall assessment saying that there are ongoing Financial or ongoing Technical and logistical challenges uh but continuously adapting um but morale a mix of frustration pressure and occasional cader um just obviously this is a large language model uh so the sources should

be checked for the actual uh in the actual log uh evidence but perhaps you might draw similarities to your own workplace hearing about some of these kind summarizations of the chats so on to uh the black bastter victim profile so typically the victim profile of black Bast Affiliates is involved in critical Services um such as construction manufacturing law and Healthcare um having a successful uh SL a wealthy uh portfolio and have some dependency on technology to provide their services so just on to the study so the objective here is to investigate the cyber security threat that black Blaster and Affiliates pose and offer recommendations underpinned by cyber threat [Music] Intelligence on our data collection and

Analysis so just to discuss very quickly we selected cyber threat intelligence sources uh drawn on and analyzed in this study due to their reputation in the security community and access to that intelligence data provided via business agreements with centripedal uh the data was then stored on a data intelligence platform and interrogated using python by cyber threat intelligence professionals and researchers um the and authors of an impress paper myself included so just on to uh some of the findings so regarding some of the technical intelligence findings so to to give a bit of context in May 2024 the cyber security infrastructure uh and uh Security Agency a component of the US Department of Homeland Security published a hashtag

stop ransomware advisory detailing approximately 100 domains that they believe to be attributed to Black baster and Affiliates the following domain name ioc's have been taken from that report and used to interrogate our pool of intelligence data so first of all this chart shows the breakdown of domain name ioc's by cyber threat intelligence provider with each provider represented by a different color it also shows the first uh it also shows the first provider to have a specific domain name uh in an an Associated intelligence feed so what we're seeing is that uh it indicates that if an organization were to rely on a single cyber threat intelligence provider they would have only have been aware of at most 34% of

those domain names published in that report at the earliest opportunity so this graph is say showing as a breakdown by provider who had that domain in their intelligence first so we can see there's quite a bit of difference no one's getting all of them at any one point so there yes at 34% is what we're seeing that you would have the most earliest opportunity through one provider to better understand that threat uh the same data can be mapped over time here focusing on just a month before that stop rware advisory the graph depicts a consistent increase in indicators of compromise as we can see highlighting unv varying threats actor activity and the continued effort of the security Community to

detect new threats the graph also shows that from the beginning of 2024 collectively cyber threat intelligence uh providers already knew at least 40% of those published ioc's attributed to Black baster and Affiliates this chart now breaks down over time from which provider the domain name isc's first appeared in threat intelligence the colors again represent uh different providers with the count on the left there indic in the number of ic's added by each provider per day as they appeared in our data set it again illustrates a continuous influx of domain name ioc's into threat intelligence from January to May 2024 66% of the I's appeared in cyber threat intelligence within one or two days after their

creation again the rapid turnover suggests that black Bast Affiliates are highly practiced in quickly setting up infrastructure possibly for single Target use or likely for single Target use if we take a look at some of the categories of cyber threat intelligence feeds that cped applies and where ioc C's first appear this highlights the challenge of identifying a threat's intent in the earliest stages of the creation of an isc's life cycle this challenge is further compounded by the speed at which black bastter and Affiliates may may uh May operate so now let's dive into some tactical intelligence we'll analyze a brief excerpt from a report uh to determine what actions we as Defenders can take to stay well

informed so this excert comes from an arctic wolf write up um by analyzing just these four sentences describing black bastter methods we can categorize them and consider our response as Defenders so as I read along I will add the techniques so sending a flood of email span to victim mailboxes with emails from Subscription Service Services we have denial service they would then proceed to cool victims in a voice fishing Vision attack posing as it support so we've got spear fishing voice and in person ination under the pretext of offering assistance in resolving the email flood issue then we've got persuade victims to provide remote access to their workstations through quick assist remote access software once

given remote access threat actors were observed executing uh scripts with curl command command the script and interpreter to download batch or zip F and deliver malicious payloads now that we've identified the techniques used by the threat actor let's explore some potential controls to mitigate their impact so the first one essentially is email bombing so we have reports from uh the email security firm slet dated January this uh January 13th this year um they described an attack attributed to Black baster I think they said black bastter like tactics um so I don't think they actually uh identify as the specific threat actor but perhaps a copycat uh tactic there where individual mailboxes were targeted with over 1,000

emails in a very short time frame similarly in January 2 January 25th this year so for reported a suspected black bastter affiliate delivering 3,000 emails to a single mailbox within 45 minutes so can you currently detect this type of activity considering uh consider Implement to implementing tooling that can uh include volume and noraly detection so next we've got Vision so several reports again indicated that threat actors were likely using external compromised Microsoft teams accounts uh to contact employees through voice and text messages so again do you allow that we need to think to ourselves do we allow external accounts to send messages on teams uh or is it restricted in internal Communications only if external message

is allowed perhaps we consider implementing a control if you don't use teams what internal chat platform do you rely can you could similar uh social nging tactics be used in the same methods next what Remote Management tools are currently on your network are they all authorized for legitimate business use does do your business use of Remote Management tools allow you to block Remote Management tools except from authorized ones can you detect when a new Tool uh is installed uh a new or unauthorized tool is installed or used so impersonation is your Workforce aware of the official methods it support uses to contact them can they recognize suspicious requests uh such as being asked to enter their pass password into

a command [Music] fun and command and scription interpreter can you detect when a command prompt or poers shell is opened does your Workforce need access to these tools in their daily tasks would employees like the in like depart departments like finance and marketing uh typically require access to these sorts of tools if not can you restrict their use and instead focus on detecting suspicious suspicious behaviors in other throughout the remaining users and then lastly can you leverage uh can you leverage taxal intelligence to block uh attempts to retrieve malware uh or second stage executables are you able to implement all application allow listing on your endpoints to create an additional barrier that might hinder um

a threat actor by assessing these controls you may you may be able to identify gaps in your defenses and Implement targeted improvements uh to reduce your exposure from these FS so some short recommendations the findings highlight the importance of leveraging multiple cyber threatens he providers to defend against threats like black bastter and its Affiliates the study shows that relying on a single CTI provider would have a limited uh would have limited an organization to only 34% of the domains attributed to Black baster at the earliest opportunity Beyond collecting indicators of compromise from multiple sources organization should also conduct exercise like the one we just did in the previous slides to analyze threat after techniques and identify appropriate

controls for their and own environment additionally organizations should strive to move up the Pyramid of pain whenever possible making more diff making it more difficult for threat actes to operate so human Le cyber threat Intel analysis plays a crucial role in enforcing CTI helping organizations identify and Implement controls that inflict the maximum pain on threat actors the higher the pain the higher we move up the ladder the pyrmid excuse me uh the harder it becomes for attackers to adapt forcing them to retool relearn and reassess and increasing the disrup and increase the chances of disrupting their operations whilst automa automation may be essential in these programs the human human Le analysis of intelligence ensures that security controls uh evolve

strategically and uh pushing defenses higher up this pyramid pain here so quickly to summarize let study underscores the importance of actionable actionable cyber threat Intel tailored to the different uh stages attack stages effective intelligence must be timely and enforcable uh to keep Pace with evolving threats and adverse adver uh adversaries like black bastter and its Affiliates may be highly skilled um well equipped and adaptable and using a wide range of exploitation techniques but as demonstrated in today's analysis countering sophisticated threats requires a broad diverse and actionable CTI strategy finally that human Le analysis returns remains critical for applying uh industrywide intelligence to better protect the organizations we defend um so that's it for me thank you

for listening um here's my contact details and uh come and chat with me I'm here all day and most of the evening thank you

[Applause] any questions on the recommendations he said to use multiple different um providers sure can you give me an example of who and for what please uh good question uh it really depends I suppose on what you're trying to Target with your that intelligence that you're trying to seek so are you trying to stop reconnaissance which change as to who uh as to what provid you might use um but typical bigname cyber threat intelligence providers like uh you know domain tools or recorded future um generally had very good um information but not necessarily favorite ones at all so yeah that is just clarication [Music] who perfect thanks everyone