BT Group’s Conferencing division attacked by Black Basta ransomware gang
BT Group has confirmed it is responding to an attempt to breach one of its business divisions, after the Black Basta ransomware group listed the firm on its dark web leak site.
Black Basta is alleged to have stolen ~500 GB of data from the UK’s largest telco, according to the listing published on 4 December.
The stolen information is said to include financial and organizational data, user data, personal documents, as well as NDA documents and other confidential material.
BT Group told ITPro it was forced to shut down some servers used by its Conferencing business unit, stating the incident had not materially impacted the Group’s operations or conferencing services.
“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated,” a BT spokesperson informed ITPro.
The firm didn’t confirm if any of its systems were encrypted or if any data was stolen, as Black Basta has claimed, stating its probe into the incident was ongoing.
“We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response.
BT Group could be the first notable victim of Black Basta’s refined social engineering campaign
In November, security experts sounded the alarm after observing an ongoing threat campaign deploying “escalated social engineering tactics” linked to the Black Basta group.
Researchers noted that the campaign’s tactics had evolved from high volume email spam attacks, and were now leveraging slightly more sophisticated techniques where attackers impersonate IT support workers via Microsoft Teams messages.
On 4 December, the same day that Black Basta posted BT Group on its leak site, cybersecurity firm Rapid7 published a report stating it had observed a “resurgence of activity” from the collective since early October.
The report highlighted another evolution in the group’s TTPs, stating it was using more sophisticated malware and better obfuscation techniques.
“Now, the procedures followed by the threat actors in the early stages of the social engineering attacks have been refined again, with new malware payloads, improved delivery, and increased defense evasion.”
Rapid7 said that while ‘troubleshooting’ with targets under the guise of assisting them, they establish remote control of their system and then look to execute a custom credential harvester and infect the system with additional malware including Zbot and DarkGate.
Previous reports noted the group’s shift from using the AnyDesk to Microsoft QuickAssist, and Rapid7 stated that it has observed the group cycling through a litany of RMM and RDP tools in order to establish a foothold.
Reacting to the group’s recent attack on BT Group, Raj Samani, SVP chief scientist at Rapid7 stressed the importance businesses are staying up to date with the latest tactics employed by the group.
“As we track this group and their targeting of specific sectors, it is imperative that organisations arm themselves with the necessary intelligence to establish security controls and mitigate the risk, particularly in light of news that the telecommunications sector is one of their targets,” he explained.
“To that end we have (freely) made available all known IoCs for this particular group and would encourage these are incorporated into security measures for organisations. One thing is clear, that the Black Basta group remain very active and are continually updating their techniques.”
Source link
