Key Takeaways

  • GreyNoise has detected active exploitation of 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs, including vulnerabilities affecting enterprise software, security appliances, and widely used web applications. 
  • CVE-2023-6875 is being exploited despite not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence beyond static lists. 
  • Some of these CVEs have been actively exploited in just the past 24 hours, including critical flaws in Palo Alto PAN-OS, JetBrains TeamCity, Microsoft Exchange, and Cisco IOS XE.  
  • GreyNoise is not attributing this activity to the ransomware group, Black Basta. Rather, we are observing active exploitation of a subset of the 62 CVEs mentioned in the group’s leaked chat logs. 
  • GreyNoise confirms active exploitation of 23 of the 62 CVEs. However, since not all 62 are trackable by GreyNoise, the actual number of exploited vulnerabilities may be higher. 

GreyNoise Confirms Active Exploitation of CVEs Listed in Black Basta’s Leaked Chats

A major leak of internal chat logs from the Black Basta ransomware group has revealed 62 CVEs discussed by the group — offering a glimpse into the vulnerabilities considered for exploitation by one of the most active ransomware operators. The list, first compiled by VulnCheck, underscores how attackers continue to target publicly known vulnerabilities long after disclosure. 

To assess real-world impact, GreyNoise analyzed internet-wide exploitation activity for these vulnerabilities. Our data confirms that 23 of these CVEs are actively being exploited, including in enterprise software, security appliances, and widely used applications. 

Observed Exploitation Activity 

Below we see that 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs have been targeted within the past 30 days. 

The CVEs are: 

  • CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection 
  • CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
  • CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure
  • CVE-2024-23897 – Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
  • CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
  • CVE-2023-6875 – wpexperts post_smtp_mailer Missing Authorization
  • CVE-2023-4966 – Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
  • CVE-2023-42793 – JetBrains TeamCity Authentication Bypass Vulnerability
  • CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
  • CVE-2023-36844 – Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
  • CVE-2023-29357 – Microsoft SharePoint Server Privilege Escalation Vulnerability
  • CVE-2023-22515 – Atlassian Confluence Broken Access Control 
  • CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation 
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution 
  • CVE-2022-41040 – Microsoft Exchange Server Server-Side Request Forgery Vulnerability
  • CVE-2022-37042 – Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
  • CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection 
  • CVE-2022-27925 – Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
  • CVE-2022-26134 – Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
  • CVE-2022-22965 – Spring Framework JDK 9+ Remote Code Execution Vulnerability
  • CVE-2022-1388 – F5 BIG-IP Missing Authentication Vulnerability
  • CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
  • CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)

Recent Exploitation: Activity Seen in the Last 24 Hours

A subset of the CVEs targeted within the past 30 days have been targeted within the past 24 hours. These include:

  • CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection 
  • CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
  • CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure
  • CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
  • CVE-2023-4966 – Citrix NetScaler ADC Buffer Overflow (Citrix Bleed)
  • CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
  • CVE-2023-22515 – Atlassian Confluence Broken Access Control 
  • CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation 
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution 
  • CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection 
  • CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
  • CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)

How Defenders Can Respond 

Organizations should immediately assess their exposure to the actively exploited CVEs from this blog and take the following steps:

  • Patch these vulnerabilities — especially those being actively exploited in the last 24 hours. 
  • Use GreyNoise’s intelligence to prioritize and validate real-world threats.
  • Move beyond KEV — CVE-2023-6875 underscores the importance of real-time intelligence over advisories and lists. 

How to Investigate These CVEs in GreyNoise

  • GreyNoise customers: Log in to the GreyNoise product, navigate to the CVEs tab, paste the 62 CVEs, and select “SEARCH” to see real-time exploitation activity. 
  • Free users: GreyNoise allows you to search for exploitation activity one CVE at a time via our free lookup tool

Full List of CVEs Mentioned in Black Basta’s Leaked Chat Logs

The following 62 CVEs were identified in Black Basta’s leaked chat logs by VulnCheck. Organizations can use this list to assess their exposure. 

  • CVE-2024-3400
  • CVE-2024-27198
  • CVE-2024-26169
  • CVE-2024-25600
  • CVE-2024-24919
  • CVE-2024-23897
  • CVE-2024-23113
  • CVE-2024-23109
  • CVE-2024-23108
  • CVE-2024-21762
  • CVE-2024-21683
  • CVE-2024-21413
  • CVE-2024-21378
  • CVE-2024-21338
  • CVE-2024-1709
  • CVE-2024-1708
  • CVE-2024-1086
  • CVE-2023-7028
  • CVE-2023-7027
  • CVE-2023-6875
  • CVE-2023-4966
  • CVE-2023-42793
  • CVE-2023-42115
  • CVE-2023-38831
  • CVE-2023-36884
  • CVE-2023-36874
  • CVE-2023-36845
  • CVE-2023-36844
  • CVE-2023-36745
  • CVE-2023-36394
  • CVE-2023-35628
  • CVE-2023-3519
  • CVE-2023-3467
  • CVE-2023-3466
  • CVE-2023-29357
  • CVE-2023-23397
  • CVE-2023-22515
  • CVE-2023-21716
  • CVE-2023-20198
  • CVE-2022-41352
  • CVE-2022-41082
  • CVE-2022-41040
  • CVE-2022-37969
  • CVE-2022-37042
  • CVE-2022-30525
  • CVE-2022-30190
  • CVE-2022-27925
  • CVE-2022-26134
  • CVE-2022-22965
  • CVE-2022-1388
  • CVE-2022-0609
  • CVE-2021-44228
  • CVE-2021-42321
  • CVE-2021-42287
  • CVE-2021-42278
  • CVE-2021-40444
  • CVE-2021-28482
  • CVE-2021-26855
  • CVE-2020-1472
  • CVE-2017-5754
  • CVE-2017-5753
  • CVE-2017-11882

GreyNoise will continue monitoring exploitation trends in real time. Stay updated by following GreyNoise’s threat intelligence reports, platform updates, and by visiting the GreyNoise visualizer

— — — 

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account