Issue 43: Black Basta Strikes BT Group, Celestial Stealer Exploits Browsers & Secret Blizzard Escalates Espionage

Top stories 06 December 2024:

1. BT Group confirms Black Basta ransomware breach
2. Celestial Stealer malware targets sensitive browser and application data
3. Secret Blizzard targets global infrastructure with espionage tools

Welcome back to Critical Chatter. Your weekly round up of current cybersecurity threats, vulnerabilities and active exploits. Curated by your humble SOC team. 👋

BT Group confirms Black Basta ransomware breach

BT Group, the UK’s leading telecom provider, has acknowledged a ransomware breach targeting its BT Conferencing division.

Black Basta, the ransomware group behind the attack, claims to have stolen 500GB of sensitive data, including financial documents, organisational details and user information. The group has threatened to leak the stolen files via its dark web platform.

Screenshots of the stolen documents were released by Black Basta, contradicting BT’s statement that the incident was an "attempt to compromise" its platform. The scale of the attack indicates otherwise, with BT working closely with regulators and law enforcement to address the breach.

Since April 2022, Black Basta has targeted over 500 organisations globally, extracting more than $100 million in ransom payments from at least 90 victims. Their targets have included prominent names such as Ascension, Rheinmetall and Hyundai’s European division.

The persistent threat of ransomware groups operating through Ransomware-as-a-Service (RaaS) models is a real threat to businesses. According to Microsoft, Black Basta is one of the top human-operated ransomware groups alongside, Lockbit, Akira, Play and Blackcat. These groups account for 51% of ransomware attacks.

TLDR; BT Group’s conferencing division suffered a ransomware breach by Black Basta, which claims to have stolen 500GB of sensitive data and threatened leaks.

Celestial Stealer malware targets sensitive browser and application data

Celestial Stealer, a JavaScript-based infostealer, has been observed targeting Chromium and Gecko-based browsers to gather sensitive information.

What does this include? Stored passwords, browser history, autofill data, cookies, credit card details and even the URLs and access frequencies of visited sites. The malware operates as a subscription service on Telegram, offering plans ranging from weekly to lifetime access - because even hackers can't resist a subscription model.

Using advanced obfuscation techniques, the malware is able to avoid detection and incorporates anti-analysis measures, preventing it from running on systems with particular usernames or machine names. It is capable of injecting harmful payloads into applications like Steam, Telegram, and cryptocurrency wallets such as Atomic and Exodus. On top of this, it retrieves additional payloads from command-and-control (C2) servers and searches for files with specific names in Desktop, Downloads, and OneDrive folders. Though it limits data collection to files under 50 MB.

Marketed as fully undetectable (FUD), Celestial Stealer undergoes frequent updates to bypass antivirus systems. Its ability to extract sensitive information makes it a significant risk to both individuals and organisations.

TLDR; Celestial Stealer, a JavaScript-based malware targeting Chromium and Gecko browsers, collects sensitive data like passwords, cookies and credit card details while evading detection through advanced obfuscation.

Secret Blizzard targets global infrastructure with espionage tools

A joint investigation by Microsoft Threat Intelligence and Black Lotus Labs has uncovered the activities of Secret Blizzard, a Russian cyber actor associated with the Federal Security Service (FSB).

This group has conducted espionage operations for over seven years, focusing on ministries, embassies and defence agencies worldwide.

Secret Blizzard's tactics involve long-term infiltration of systems for intelligence gathering, often using infrastructure from other cyber actors. Since November 2022, the group has repurposed tools and infrastructure from Storm-0156, a Pakistan-based group also known as Transparent Tribe or APT36. Integrating tools like CrimsonRAT and Arsenal with its own malware (e.g., TwoDash, MiniPocket, and Statuezy) has allowed Secret Blizzard to broaden its reach while concealing its operations.

Their techniques include DLL sideloading, redirecting command-and-control traffic, and utilising Storm-0156’s backdoors to execute broader campaigns. The group has compromised high-value targets, including Afghanistan’s Ministry of Foreign Affairs and various intelligence organisations.

TLDR; Secret Blizzard, a Russian FSB-linked cyber actor, has conducted espionage for over seven years, repurposing tools from other groups like Pakistan-based APT36 to infiltrate high-value targets, including ministries and intelligence agencies worldwide.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!