The ransomware operator Black Basta has begun impersonating Microsoft Teams IT support teams in order to gain access to enterprise systems and data.
Black Basta is sending targeted employees thousands of emails and then posing as the Microsoft helpdesk to help them resolve the influx of spam.
Far from helping, it then gains remote access to their Windows devices, runs scripts to install payloads to keep remote access, and then spreads to other devices, gaining privileges, stealing their data, and even installing ransomware encryptors to take complete control of specific files.
According to the computer help forum Bleeping Computer, the criminal group has been active since April 2022 and is responsible for hundreds of attacks against corporations worldwide.
The US cybersecurity technology company, ReliaQuest, which uncovered the latest Black Basta social engineering attacks, shared its findings:
This rapidly escalating campaign poses a significant threat to organisations.”
“The threat group is targeting many of our customers across diverse sectors and geographies with alarming intensity.”
“The sheer volume of activity is also unique; in one incident alone, we observed approximately 1,000 emails bombarding a single user within just 50 minutes.”
“Due to commonalities in domain creation and Cobalt Strike configurations, we attribute this activity to Black Basta with high confidence.”
Black Basta Ransomware on Teams
ReliaQuest researchers found that, since October, Black Basta has been using Teams to make contact.
As before, they begin by bombarding an employee’s inbox with emails. Then, instead of calling, they make contact as external Microsoft Teams users, pretending to be the IT help desk.
ReliaQuest lists examples of profile names used by Black Basta, which all use the naming convention “.onmicrosoft.com”: securityadminhelper.onmicrosoft[.]com, supportserviceadmin.onmicrosoft[.]com, supportadministrator.onmicrosoft[.]com, and cybersecurityadmin.onmicrosoft[.]com.
They also set their profiles to a “DisplayName” to make themselves appear to be official support staff, along with the string “Help Desk” and surrounded by whitespace characters to centre the name within the chat.
Companies to have fallen victim to Black Basta so far include the UK water supplier Southern Water, insurance provider Corvus, and outsourcer Capita. Losses resulting from the ransomware attack on Capita, for example, are somewhere between $15 million and $20 million.
ReliaQuest’s Recommendations
ReliaQuest has advised companies to protect themselves against these kinds of threats by blocking all malicious domains and subdomains.
To prevent ransomware tactics that leverage Microsoft Teams and QR code phishing, communications with external users should be disabled from within Teams.
If communicating with external users is necessary, trusted domains can be added to an allowed list.
Aggressive anti-spam policies can help prevent spam from overloading inboxes.
Make sure logging is enabled for Teams to enable detection and investigations for these activities.
Current detection rules and security tools should be able to address threats like Impacket abuse and Cobalt Strike, as these are well-known ransomware.
ReliaQuest concludes: “To defend against these threats, organisations should ensure employees remain vigilant against current social engineering tactics by providing ongoing training and awareness programs that highlight the latest attacker threats and techniques.”
“This vigilance should be paired with a robust defence-in-depth strategy, incorporating multiple layers of security measures such as firewalls, intrusion detection systems, and regular security audits.”
This approach will help identify and neutralise potential suspicious activity before it can cause any harm.”
This is not the first time Teams has been used as a vehicle for hackers to infiltrate corporate systems. In January, Microsoft disabled the ms-appinstaller protocol handler as the default because it had found evidence that the hackers had been exploiting the software to distribute malware.
Just two percent of organisations have “mature” cybersecurity readiness, according to Cisco‘s 2024 Cybersecurity Readiness Index released in March this year.
from UC Today https://ift.tt/QzlRFj6
0 Comments