Black Basta and Remote Desktop Tools

CISA, along with the FBI, Department of Health and Human Services (HSS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released an advisory towards the beginning May announcing how the Ransomware group Black Basta have been targeting Critical Infrastructure as of late. They have already impacted over 500 organisations around the globe. You can read more about that advisory released by CISA here: CISA Black Basta Advisory

Attack Summary

  • The threat actor signs the targets email up to various legitimate subscriptions, creating potentially hundreds of spam email going to the target inbox.
  • The threat actor usually poses as IT Support (mostly claiming to be from Microsoft) to help the target with their overwhelmed inbox.
  • The threat actor would convince the user to start a remote session with them (through the use of Remote Desktop tools like the built in Windows Quick Assist) in order to help them resolve the issues with the targets inbox.
  • Once the threat actor has established a remote connection to the targets machine, they run scripts to establish a connection to their C2 server in order to download malicious files.
  • The threat actor will then go onto establish persistence and lateral movement on the targets machine.

Protect Your Organisation

This recent wave of attack relies mostly on the social engineering element, convincing the target to establish a remote session with the built in Quick Assist application on Windows or other Remote Desktop tools like AnyDesk, TeamViewer, ScreenConnect etc. In my opinion, the best way to stop this attack from being exploited in your organisation is to simply restrict the use of Remote Desktop tools at the “Initial Access” phase. If there is no business need for Remote Desktop tools to be used, stop users being able to go to the website and download the tools using your Firewall rules and utilise application control software to stop the execution of these tools should the files make it to the users machine.

Recommendations:

  • IT Support Policy – Ensure your users are aware of how to report IT problems.
  • End User Awareness Training – Train your users to recognise vishing as part of your Cyber Awareness Training plan.
  • Firewall Policy – Depending on your organisations policy, you may want to block access to Remote Desktop Sites to stop users being able to download Remote Desktop software like AnyDesk or TeamViewer.
  • Implement Application Control – Depending on your organisations policy, you can restrict the use of Remote Desktop applications from being executed in your environment.
  • Implement Security Monitoring – If your organisations policy is to block or heavily restrict the use of Remote Desktop applications, then it is recommended to build monitoring capabilities to detect the use of these tools in your environment using tools like a SIEM or an EDR.

Threat Hunting & Rule Detection

Here are some simple steps you can take to look for potential compromise or to see if there are any instances of Remote Desktop software in your organisation which could lead to compromise. These searches can also be utilised to create detections that allow your to monitor and alert when Remote Desktop tools are running in your environment.

IOC Hunt

CISA report highlights all the IOC’s that have been observed. Plug these IOC’s in your SIEM/EDR tool to see if they have been observed in your organisation.

SIEM Hunt/Detection for Remote Desktop Tools

If you are logging Event ID 4688 (Process Creation) to your chosen SIEM system you can utilise this Event to see what applications are being executed. The below screenshot shows TeamViewer being executed for installation and AnyDesk being used. Search for Event ID 4688 where the “New Process Name” contains “Teamviewer.exe” or “AnyDesk.exe”

SIEM Detection Logic

Field NameOperatorParameter
Log Source TypeEQUALSMicrosoft Security Event Logs
Event IDEQUALS4688
New Process NameCONTAINS<Insert watchlist containing Remote Desktop tools you want to monitor>
Use the above logic to create a detection rule in your SIEM platform, you will need to map the Field Name to the appropriate field name in your chosen SIEM platform.

EDR Hunt/Detection for Remote Desktop Tools

DeviceProcessEvents
| Where FileName contains "anydesk.exe" or FileName contains "teamviewer.exe"

The above KQL query can be used to hunt for Remote Desktop Tools being used in your environment. These processes were observed when these tools were installed and running. If your organisations policy is to restrict these tools, then this query will help you find instances of any violations. You can also use this query as a detection rule to monitor you environment, set the query up so Defender will alert your SOC/Security Analysts when these tools are being used.

References

Leave a Comment

Your email address will not be published. Required fields are marked *