Businesses increasingly fall victim to sophisticated phishing attacks as ransomware gangs adopt innovative methods to infiltrate company networks. These attacks involve a combination of email bombing campaigns, impersonation of IT support, and the exploitation of Microsoft Teams’ default configurations. Cybersecurity experts have linked these tactics to high-profile ransomware groups like Black Basta and other sophisticated threat actors potentially associated with FIN7.

 

How the Attacks Unfold

Step 1: Email Bombing Campaign

The attacks typically begin with a massive spam email campaign; in one instance observed by cybersecurity researchers at Sophos, a group identified as STAC5143 sent over 3,000 spam emails to a single target in just 45 minutes. This tactic overwhelms the victim’s inbox, creating a sense of urgency and confusion.

Step 2: Microsoft Teams Impersonation

Following the email ‘bombing’, the targeted employee receives a Microsoft Teams call from an external account posing as an IT support representative. The default Microsoft Teams configuration makes these calls possible, allowing communication with external domains unless explicitly restricted.

The impersonator often adopts convincing names such as “Help Desk Manager,” in a bid to sound legitimate.

During the call, the attacker convinces the victim to grant remote access. Using this access, they deliver malicious payloads designed to compromise the system. In one case, a Java archive (MailQueue-Handler.jar) and Python scripts (RPivot backdoor) were deployed via a SharePoint link. These tools enabled the attackers to execute PowerShell commands, side-load malware, and establish encrypted command-and-control (C2) channels.

 

Malware Deployment and Exploitation

After gaining access, attackers use a combination of legitimate software and malicious code to infiltrate the system. For example, they may deploy:

  • Side-Loading Malware: A legitimate ProtonVPN executable is used to load a malicious DLL (nethost.dll), creating a C2 communication channel for remote access.
  • Penetration Testing Tools: Tools like RPivot allow attackers to execute SOCKS4 proxy tunnelling for sending commands obfuscating their activities.
  • Credential Harvesting: Attackers use malware to log keystrokes, scan for credentials stored in files or the registry, and explore the network for potential pivoting points.

In one campaign attributed to the group STAC5777, attackers tricked victims into installing Microsoft Quick Assist, granting direct keyboard access. They then deployed malware through Azure Blob Storage, enabling credential harvesting, keystroke logging, and lateral network movement.

 

Protective Measures for Businesses

To mitigate the risk of these sophisticated attacks, organisations should consider the following steps:

Restrict External Communication in Microsoft Teams: Limit or block communication with external domains unless explicitly necessary.

Disable Quick Assist on Critical Systems: Prevent unauthorised remote access by disabling tools like Microsoft Quick Assist in environments where security is paramount.

Enhance Employee Training: Train staff to recognise phishing attempts, suspicious calls, and requests for remote access. Encourage them to verify the identity of any IT support representative that may call them. create a checklist of things your internal IT support would never ask an employee.

Implement Advanced Security Protocols: Use multi-factor authentication (MFA), endpoint protection, and regular software updates to minimise vulnerabilities.

Monitor Anomalous Activity: Establish robust monitoring systems to detect unusual patterns, such as sudden spikes in email volume or unexpected external Teams calls.

 

It’s always important to remain vigilant to mitigate the impacts of a ransomware attack. Gangs continuously refine their methods, exploiting both human psychology and software vulnerabilities. Businesses must remain vigilant. Email bombing, Microsoft Teams impersonation, and malware deployment represent a formidable threat to businesses across the world. It’s always better to implement proactive security measures and build a culture of cybersecurity awareness within your organisation so you can defend against these evolving tactics.



from UC Today https://ift.tt/Ar0Es1d