Facebook-f Linkedin-in Instagram Tiktok Youtube
Become An Affiliate
21
Jun

How Black Basta turned OSINT data into a breach playbook | #ransomware | #cybercrime

0


COMMENTARY: Earlier this year, leaked internal chat logs from the Black Basta ransomware group revealed how attackers used public data to profile companies, identify vulnerable infrastructure, and quietly gain access — all before launching a single malicious payload.Their approach was strikingly methodical. Affiliates started with tools like ZoomInfo to filter potential targets based on size, industry, and revenue. Once a company was flagged as a high-value target, they turned to LinkedIn to map out the org chart and analyze job postings to understand what technologies were in use. From there, they used contact enrichment platforms RocketReach and SignalHire to gather email addresses, just like a sales team would when prospecting.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]But it didn’t stop with employee data. Using Shodan and FOFA, the group scanned the internet for exposed infrastructure: VPN portals, Citrix instances, vulnerable appliances like SonicWall or Fortinet, and cloud services like Jenkins or ESXi.In some cases, they already had leaked credentials from previous breaches, which let them log-in without triggering any alarms. This wasn’t a zero-day exploit or an insider job. It was a textbook example of how attackers can weaponize Open-Source Intelligence (OSINT).

How attackers use OSINT

Security pros use OSINT to collect and analyze publicly available information to generate actionable intelligence. While it’s a powerful tool for cybersecurity teams and investigators, it’s also a go-to technique for attackers during the early stages of a breach.From company blogs and public repos to social media posts and leaked credentials, OSINT gives threat actors everything they need to understand how an organization operates and where it might be exposed. Black Basta didn’t invent this method. They just used it well and they’re not alone.While OSINT comes from countless sources, it generally falls into four main categories:

  • People data: Social media profiles, public forums, and speaker bios help attackers identify employees, org structure, and work habits.
  • Company and technical exposure: Job postings, vendor press releases, GitHub repos, and WHOIS records reveal the tech stack in use and any recent changes that might introduce vulnerabilities.
  • Infrastructure footprints: Tools like Shodan and FOFA are used to find internet-exposed services such as VPNs, cloud apps, open ports, or outdated software.
  • Leaked credentials: Password dumps from past breaches are easy to find and often reused. Attackers use these to access accounts quietly, especially if MFA isn’t enforced. In short, attackers combine scattered pieces of public data into a complete and accurate map of an environment, often with better context than internal teams have.

    • What security teams can do today

    Reducing an organization’s digital footprint takes effort, but it’s one of the most effective ways to slow down attackers and disrupt reconnaissance. Start with these steps:For everyone:

  • Do a personal profile search regularly: See what shows up when searching on Google. Remove anything that reveals sensitive projects, internal tools, or contact details.
  • Think before posting: Avoid sharing office photos, technical details, or vendor names in public forums and social platforms.
  • Clean up all files: Strip metadata from documents and images before sharing them externally. Tools like ExifTool can help.
  • Separate work and personal accounts: Keep personal life activities private and limit which professional details are publicly accessible.
  • Stay alert to social engineering: If someone makes digital contact using oddly specific details, verify before responding or clicking.

    • For security teams:

  • Monitor lookalike domains: Set alerts for newly-registered domains that mimic the company’s brand and act before they’re weaponized.
  • Review access controls: Limit permissions to what’s strictly needed, and remove stale accounts or unused service credentials.
  • Segment the corporate network: Ensure that development, production, and internal systems are isolated to reduce the blast radius of any intrusion.
  • Simulate an OSINT-based attack: Task the company’s red team to gather only public data and see how far they can get. Use the findings to inform controls and awareness training.

    • The Black Basta case should serve as a wake-up call. We don’t need a zero-day exploit when people and systems expose everything attackers need.Security isn’t just about patching systems or deploying the latest toolset: it’s also about awareness, digital hygiene, and making it harder for adversaries to gather the intel they rely on. Reducing the organization’s public exposure and detecting early signs of compromise, especially across identity, network, and cloud, isn’t optional: It’s the new baseline for defense.Lucie Cardiet, cyberthreat research manager, Vectra AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.



    Source link

    .........................

    Facebook-f Linkedin-in Instagram Tiktok Youtube
    Our Products
    Company
    Other Links

    Copyright 2005 – 2025 National Cyber Security

    National Cyber Security

    FREE
    VIEW