惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
AI
AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 热门话题
G
GRAHAM CLULEY
Cisco Talos Blog
Cisco Talos Blog
T
Tenable Blog
L
Lohrmann on Cybersecurity
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
T
Threatpost
AWS News Blog
AWS News Blog
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
J
Java Code Geeks
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
The GitHub Blog
The GitHub Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
C
Cisco Blogs
F
Full Disclosure
Jina AI
Jina AI
Engineering at Meta
Engineering at Meta
I
InfoQ
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
C
CERT Recently Published Vulnerability Notes
Last Week in AI
Last Week in AI
P
Privacy International News Feed
Scott Helme
Scott Helme
WordPress大学
WordPress大学
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
C
Cyber Attacks, Cyber Crime and Cyber Security
Y
Y Combinator Blog
T
Tor Project blog
V
Visual Studio Blog
Spread Privacy
Spread Privacy
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
Google Online Security Blog
Google Online Security Blog
C
Check Point Blog
爱范儿
爱范儿
N
News and Events Feed by Topic
博客园 - 【当耐特】
TaoSecurity Blog
TaoSecurity Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
How Black Basta Turned Public Data into a Breach Playbook
2025-06-25 · via Vectra AI Blog
This blog was originally featured as a byline in SC Media and is republished here with permission.

In May 2025, leaked internal chat logs from the Black Basta ransomware group revealed how attackers used public data to profile companies, identify vulnerable infrastructure, and quietly gain access (all before launching a single malicious payload).

Their approach was strikingly methodical. Affiliates started with tools like ZoomInfo to filter potential targets based on size, industry, and revenue. Once a company was flagged as a high-value target, they turned to LinkedIn to map out the org chart and analyze job postings to understand what technologies were in use. From there, they used contact enrichment platforms like RocketReach and SignalHire to gather email addresses, just like a sales team would when prospecting.

But it didn’t stop with employee data. Using platforms like Shodan and FOFA, the group scanned the internet for exposed infrastructure: VPN portals, Citrix instances, vulnerable appliances like SonicWall or Fortinet, and cloud services like Jenkins or ESXi. In some cases, they already had leaked credentials from previous breaches, allowing them to log in without triggering any alarms.

This wasn’t a zero-day exploit or an insider job. It was a textbook example of how attackers can weaponize Open-Source Intelligence (OSINT).

What is OSINT and why it matters

OSINT is the practice of collecting and analyzing publicly available information to generate actionable intelligence. While it's a powerful tool for cybersecurity teams and investigators, it’s also a go-to technique for attackers during the early stages of a breach. From company blogs and public repos to social media posts and leaked credentials, OSINT gives threat actors everything they need to understand how an organization operates and where it might be exposed.

Black Basta didn’t invent this method. They just used it well and they’re not alone.

What attackers look for

While OSINT comes from countless sources, it generally falls into four main categories:

  1. People data
    Social media profiles, public forums, and speaker bios help attackers identify key employees, org structure, and work habits.
  2. Company and technical exposure
    Job postings, vendor press releases, GitHub repos, and WHOIS records reveal the tech stack in use and any recent changes that might introduce vulnerabilities.
  3. Infrastructure footprints
    Tools like Shodan and FOFA are used to find internet-exposed services (VPNs, cloud apps, open ports, or outdated software).
  4. Leaked credentials
    Password dumps from past breaches are easy to find and often reused. Attackers use these to access accounts quietly, especially if MFA isn’t enforced.

In short, attackers combine scattered pieces of public data into a complete and accurate map of your environment, often with better context than internal teams have.

What you can do today

Reducing your digital footprint takes effort, but it’s one of the most effective ways to slow down attackers and disrupt reconnaissance. Start with these steps:

For everyone:

  • Search yourself regularly. See what shows up when you Google your name, email, or past work. Remove anything that reveals sensitive projects, internal tools, or contact details.
  • Think before you post. Avoid sharing office photos, technical details, or vendor names in public forums and social platforms.
  • Clean up your files. Strip metadata from documents and images before sharing them externally. Tools like ExifTool can help.
  • Separate work and personal accounts. Keep your personal life private and limit what professional details are publicly accessible.
  • Stay alert to social engineering. If someone contacts you using oddly specific details, verify before responding or clicking.

For security teams:

  • Monitor lookalike domains. Set alerts for newly registered domains that mimic your brand and act before they’re weaponized.
  • Review access controls. Limit permissions to what’s strictly needed, and remove stale accounts or unused service credentials.
  • Segment your network. Ensure that development, production, and internal systems are isolated to reduce the blast radius of any intrusion.
  • Simulate an OSINT-based attack. Task your red team to gather only public data and see how far they can get. Use the findings to inform controls and awareness training.

The Bigger Picture

The Black Basta case should serve as a wake-up call. You don’t need a zero-day exploit when people and systems expose everything attackers need. Security isn’t just about patching systems or deploying the latest toolset: it’s also about awareness, digital hygiene, and making it harder for adversaries to gather the intel they rely on. Reducing your public exposure and detecting early signs of compromise (especially across identity, network, and cloud) isn’t optional. It’s the new baseline for defense.

The Vectra AI Platform: When prevention is not enough

Even with these good habits, strong firewalls and endpoint defenses, attackers may find ways to bypass your security. Fear not, when prevention alone cannot stop an attack, the Vectra AI Platform steps in. Vectra AI continuously watches network traffic, cloud identity, and SaaS activity to detect subtle signs of compromise. If an attacker bypasses a firewall or phishing filter, Vectra AI’s AI-driven analysis spots unusual patterns, like a valid user identity authenticating from an unexpected location, accessing sensitive cloud resources, or a service account making rare API calls. Because it focuses on identity and behavior, Vectra AI catches threats that other defenses miss and alerts security teams immediately, so they can act before data is lost.

Want to see the platform in action? Request a demo.