Hacked conversations about Black Basta's selected vulnerabilities from leaked ransomware discussions surface online
The resurgent Black Basta ransomware group, previously known as a Russian-speaking RaaS group that disbanded in early 2025, has been identified as focusing on high-revenue organisations in the legal, financial, healthcare, and industrial sectors. Recent research by cybersecurity firm VulnCheck has shed light on the group's preferred attack vectors and the specific vulnerabilities they exploit.
One of the key methods used by Black Basta is the exploitation of phishing attacks targeting Microsoft Teams users, combined with email bombing and voice phishing (vishing). These campaigns often employ session token capture tools to bypass multi-factor authentication, enabling stealthy account hijacking.
Another notable vulnerability, known as "TeamFiltration," led to the exposure of approximately 80,000 Microsoft Entra (Azure Active Directory) accounts, facilitating unauthorised access to private identity records. This misconfiguration has been exploited or served as a vector for gaining access to cloud identities, particularly in Black Basta’s Teams-based campaigns.
Black Basta is also known to utilise custom malware and Python-based payloads, and former affiliates have hinted at evolving their tactics to deploy Python-based remote access trojans (RATs) and custom encryptors designed to evade detection mechanisms.
The group has also been observed targeting VMware ESXi servers via known vulnerabilities, leading to authentication bypass and remote encryption of virtual machines. Although not unique to Black Basta, ransomware groups including BlackBasta have exploited older, unpatched vulnerabilities in VMware ESXi virtualization servers, causing large-scale operational disruptions.
Regarding specific CVE identifiers tied directly to Black Basta, publicly available sources do not specify precise CVE numbers exploited by the group. However, based on the technologies targeted, typical CVEs relevant to these attack vectors include phishing, authentication, and identity management flaws in Azure AD, as well as authentication bypass and remote code execution in VMware ESXi.
Black Basta's method of using custom malware loaders, backdoors like QDoor, and leveraging phishing combined with multi-stage payloads suggests the exploitation of zero-days or unpatched security holes in common enterprise software. However, specific zero-day details remain undisclosed.
Security teams are urged to focus on patching VMware ESXi systems, securing Microsoft Teams and Azure AD configurations, and enhancing phishing detection and multi-factor authentication protections to mitigate Black Basta-related risks.
It is also important to note that Black Basta prioritises high-revenue companies over a large number of random targets, generating more revenue from fewer high-profile targets. Additionally, references to CVEs in Black Basta chat logs do not guarantee that the actors used the CVEs in attacks, according to comments from VulnCheck.
CVE Numbering Authorities are also criticised for sometimes overlooking the step of publishing CVEs, making it harder for defenders relying solely on CVE.org or NIST NVD for visibility into vulnerabilities. This underscores the importance of maintaining a comprehensive and up-to-date understanding of potential threats and vulnerabilities.
- The cybersecurity firm VulnCheck has revealed that Black Basta, a resurgent ransomware group, tends to exploit specific vulnerabilities such as the "TeamFiltration" misconfiguration in Microsoft Entra, leading to unauthorized access to private identity records.
- In addition to exploiting phishing attacks and voice phishing, Black Basta is known to utilise custom malware and Python-based payloads, which are suggestive of the exploitation of zero-days or unpatched security holes in common enterprise software.
- Regarding the technologies targeted by Black Basta, typical CVEs relevant to their attack vectors include phishing, authentication, and identity management flaws in Azure AD, as well as authentication bypass and remote code execution in VMware ESXi, underscoring the importance of regular patching and enhancing cybersecurity measures.
