Skip to content

Threats of the Week: Black Basta, Scattered Spider, and FIN7 Malvertising

  • May 28, 2024

The only way that we can help our community and our enterprise customers continue to check their coverage against adversary activity and new threats is to keep our platforms fresh. In the last week, the Tidal Cyber Adversary Intelligence Team added significant content to the platforms to help them do just that. Beyond mapping to MITRE ATT&CK®, the team also continually applies its own tools, research, and deep understanding of the current cyber threat landscape to create and maintain threat profiles most relevant to enterprises. Enterprise users can gain an even richer view by enabling Tidal’s new integrations with popular threat intelligence vendors, ensuring their view of the landscape is as complete as possible.

Black Basta Ransomware: We recently added a large collection of tool & TTP intelligence related to this trending threat (more than tripling the number of tool/TTP relationships that you would find in MITRE ATT&CK® proper). Black Basta is responsible for growing numbers of attacks, especially ones impacting critical infrastructure sectors. As such, it was the subject of a recent CISA advisory, which often increases its priority level for many security teams. Separately, a new campaign was recently linked to the group, which featured some unusual and interesting Techniques – “email bombing” to overwhelm users’ inboxes, calls from fake IT support, then tricking users into using a legitimate Windows remote access feature to compromise the system. 

Aggregating all these Black Basta TTPs (56 total) into one location lets defenders take a quick but holistic assessment of their defensive coverage and potential gaps, across their security stack. Specific mitigations that relate to/mitigate against the largest number of Black Basta TTPs include: 1) prevent execution of certain behaviors on endpoints (11 TTPs), 2) privileged & user account management (10 TTPs), 3) user training (7 TTPs), and 4) network intrusion prevention (6 TTPs). Eight solutions in our public Product Registry have capabilities that address the 5 most significant Black Basta techniques: Registry Run Keys, DLL Side-Loading, Keylogging, Dynamic-link Library Injection, and File/Information Decoding. 

Scattered Spider: We made recent updates to our content for this perpetually top-of-mind and highly capable threat. Scattered Spider is resuming a high attack cadence, hitting financial sector orgs especially hard right now (a relatively newer vertical for them). Current attacks are especially using techniques to evade better-defended targets, specifically orgs with MFA protections enabled. Mitigation strategies can go a long way here – proactive identification of malicious targeting domains, as well as user awareness & training around targeted phishing attacks. 

FIN7 Malvertising Campaign: We added new content following recent reports of malvertising-based attacks attributed to FIN7, helping defenders with ATT&CK alignment around this campaign and enabling quicker defensive insights. FIN7 is a major financial sector threat relevant to many organizations in this industry, so any new discrete campaign is usually notable. Malvertising is a technique newly associated with this group – a technique that continues to trend in the landscape, and we’ve linked 7 named threats/campaigns with it in recent months (ATT&CK proper just features one). This campaign featured the popular NetSupport RAT tool for post-exploit persistence, which coincidentally featured in the Black Basta campaign above, and so we added new platform content (ATT&CK Technique relationships) around it this week too. 


Data-Driven Threat-Informed Defense

Meet Tidal Enterprise Edition

Quickly and easily develop custom threat profiles and defensive stacks, see your coverage and identify gaps and redundancies, and get daily recommendations to improve your cybersecurity posture.