Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Black Basta Ransomware Evolves Tactics: A New Frontier in Microsoft Teams Social Engineering Attacks


Black Basta ransomware has adapted its tactics once again, exploiting Microsoft Teams as a vector for social engineering attacks that pose as corporate IT support. Organizations must remain vigilant and adapt their security measures to counter this evolving threat.

  • The BlackBasta ransomware operation has adapted its tactics to exploit Microsoft Teams, marking a significant escalation in its efforts to breach corporate networks.
  • The attackers pose as IT support representatives and contact employees via Microsoft Teams, impersonating a corporate help desk.
  • They create external user accounts that resemble legitimate help-desk IDs, making it appear as though the employee is communicating with a trusted IT representative.
  • The attackers trick employees into installing remote support software or providing remote access to their Windows devices, allowing them to spread laterally through the network.
  • Organizations are advised to restrict communication from external users in Microsoft Teams, enable logging for suspicious chats, and take other precautions to reduce their risk of falling prey to Black Basta's tactics.



    • In a recent development that highlights the ever-evolving nature of cyber threats, researchers at ReliaQuest have observed the BlackBasta ransomware operation adapting its tactics to exploit the Microsoft Teams platform. This new social engineering attack vector marks a significant escalation in the group's efforts to breach corporate networks and encrypt sensitive data.

    As part of its ongoing campaign against various corporations worldwide, the Black Basta ransomware operation has moved from traditional email-based attacks to a more sophisticated method involving Microsoft Teams. The attackers pose as IT support representatives, contacting employees who have been inundated with thousands of emails that appear to be newsletters, sign-up confirmations, and email verifications. Once an employee is overwhelmed by these messages, the attackers make contact through Microsoft Teams, impersonating a corporate help desk.

    The attackers create external user accounts under Entra ID tenants named to resemble legitimate help-desk IDs, such as securityadminhelper.onmicrosoft.com or supportserviceadmin.onmicrosoft.com. These profiles are set up with display names that include the string "Help Desk," often surrounded by whitespace characters, making it appear as though the employee is communicating with a trusted IT representative.

    In most instances observed by ReliaQuest researchers, targeted users were added to a "OneOnOne" chat. This tactic allows the attackers to engage in private conversations with employees, further convincing them of their legitimacy. However, some malicious QR codes have been sent to these chats, which lead to domains like qr-s1[.]com. The purpose of these QR codes remains unclear.

    Once an employee falls prey to this social engineering assault, the attackers trick them into installing AnyDesk remote support software or providing remote access to their Windows devices by launching the Windows Quick Assist remote control and screen-sharing tool. From there, a script is run that installs various payloads, including ScreenConnect, NetSupport Manager, and Cobalt Strike.

    These payloads provide continued remote access to the compromised device, allowing Black Basta affiliates to spread laterally through the network, elevate privileges, steal sensitive data, and ultimately deploy the ransomware encryptor. The use of Microsoft Teams as a vector for this attack is particularly noteworthy, as it underscores the ever-evolving nature of cyber threats and the importance of vigilance in defending against these types of social engineering campaigns.

    In light of this development, organizations are advised to take immediate action to protect themselves against this new threat vector. ReliaQuest recommends that companies restrict communication from external users in Microsoft Teams and, if required, only allow it from trusted domains. Logging should also be enabled, especially for the ChatCreated event, to find suspicious chats. By taking these precautions, organizations can significantly reduce their risk of falling prey to Black Basta's latest social engineering tactics.

    In conclusion, the recent evolution of Black Basta ransomware tactics into Microsoft Teams represents a serious escalation in the group's efforts to breach corporate networks and encrypt sensitive data. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and adapt their security measures accordingly. By understanding the tactics employed by cyber threats like Black Basta, businesses can take proactive steps to protect themselves against these types of attacks.



    Related Information:

  • https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/

  • https://malwaretips.com/threads/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks.133409/

  • https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/

  • https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/


    • Published: Sat Oct 26 10:11:53 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us