This blog was originally featured as a byline in SC Media and is republished here with permission.
In May 2025, leaked internal chat logs from the Black Basta ransomware group revealed how attackers used public data to profile companies, identify vulnerable infrastructure, and quietly gain access—all before launching a single malicious payload.
Their approach was strikingly methodical. Affiliates started with tools like ZoomInfo to filter potential targets based on size, industry, and revenue. Once a company was flagged as a high-value target, they turned to LinkedIn to map out the org chart and analyze job postings to understand what technologies were in use. From there, they used contact enrichment platforms like RocketReach and SignalHire to gather email addresses, just like a sales team would when prospecting.
But it didn’t stop with employee data. Using platforms like Shodan and FOFA, the group scanned the internet for exposed infrastructure: VPN portals, Citrix instances, vulnerable appliances like SonicWall or Fortinet, and cloud services like Jenkins or ESXi. In some cases, they already had leaked credentials from previous breaches, allowing them to log in without triggering any alarms.
This wasn’t a zero-day exploit or an insider job. It was a textbook example of how attackers can weaponize Open-Source Intelligence (OSINT).
What is OSINT and why it matters
OSINT is the practice of collecting and analyzing publicly available information to generate actionable intelligence. While it's a powerful tool for cybersecurity teams and investigators, it’s also a go-to technique for attackers during the early stages of a breach. From company blogs and public repos to social media posts and leaked credentials, OSINT gives threat actors everything they need to understand how an organization operates and where it might be exposed.
Black Basta didn’t invent this method. They just used it well and they’re not alone.
What attackers look for
While OSINT comes from countless sources, it generally falls into four main categories:
- People data
Social media profiles, public forums, and speaker bios help attackers identify key employees, org structure, and work habits. - Company and technical exposure
Job postings, vendor press releases, GitHub repos, and WHOIS records reveal the tech stack in use and any recent changes that might introduce vulnerabilities. - Infrastructure footprints
Tools like Shodan and FOFA are used to find internet-exposed services (VPNs, cloud apps, open ports, or outdated software). - Leaked credentials
Password dumps from past breaches are easy to find and often reused. Attackers use these to access accounts quietly, especially if MFA isn’t enforced.
In short, attackers combine scattered pieces of public data into a complete and accurate map of your environment, often with better context than internal teams have.
What you can do today
Reducing your digital footprint takes effort, but it’s one of the most effective ways to slow down attackers and disrupt reconnaissance. Start with these steps:
For everyone:
- Search yourself regularly. See what shows up when you Google your name, email, or past work. Remove anything that reveals sensitive projects, internal tools, or contact details.
- Think before you post. Avoid sharing office photos, technical details, or vendor names in public forums and social platforms.
- Clean up your files. Strip metadata from documents and images before sharing them externally. Tools like ExifTool can help.
- Separate work and personal accounts. Keep your personal life private and limit what professional details are publicly accessible.
- Stay alert to social engineering. If someone contacts you using oddly specific details, verify before responding or clicking.
For security teams:
- Monitor lookalike domains. Set alerts for newly registered domains that mimic your brand and act before they’re weaponized.
- Review access controls. Limit permissions to what’s strictly needed, and remove stale accounts or unused service credentials.
- Segment your network. Ensure that development, production, and internal systems are isolated to reduce the blast radius of any intrusion.
- Simulate an OSINT-based attack. Task your red team to gather only public data and see how far they can get. Use the findings to inform controls and awareness training.
The Bigger Picture
The Black Basta case should serve as a wake-up call. You don’t need a zero-day exploit when people and systems expose everything attackers need. Security isn’t just about patching systems or deploying the latest toolset: it’s also about awareness, digital hygiene, and making it harder for adversaries to gather the intel they rely on. Reducing your public exposure and detecting early signs of compromise (especially across identity, network, and cloud) isn’t optional. It’s the new baseline for defense.
The Vectra AI Platform: When prevention is not enough
Even with these good habits, strong firewalls and endpoint defenses, attackers may find ways to bypass your security. Fear not, when prevention alone cannot stop an attack, the Vectra AI Platform steps in. Vectra AI continuously watches network traffic, cloud identity, and SaaS activity to detect subtle signs of compromise. If an attacker bypasses a firewall or phishing filter, Vectra AI’s AI-driven analysis spots unusual patterns, like a valid user identity authenticating from an unexpected location, accessing sensitive cloud resources, or a service account making rare API calls. Because it focuses on identity and behavior, Vectra AI catches threats that other defenses miss and alerts security teams immediately, so they can act before data is lost.
Want to see the platform in action? Request a demo.