The ransomware operator Black Basta has begun impersonating Microsoft Teams IT support teams in order to gain access to enterprise systems and data.
Black Basta is sending targeted employees thousands of emails and then posing as the Microsoft helpdesk to help them resolve the influx of spam.
Far from helping, it then gains remote access to their Windows devices, runs scripts to install payloads to keep remote access, and then spreads to other devices, gaining privileges, stealing their data, and even installing ransomware encryptors to take complete control of specific files.
According to the computer help forum Bleeping Computer, the criminal group has been active since April 2022 and is responsible for hundreds of attacks against corporations worldwide.
The US cybersecurity technology company, ReliaQuest, which uncovered the latest Black Basta social engineering attacks, shared its findings:
This rapidly escalating campaign poses a significant threat to organisations.β
βThe threat group is targeting many of our customers across diverse sectors and geographies with alarming intensity.β
βThe sheer volume of activity is also unique; in one incident alone, we observed approximately 1,000 emails bombarding a single user within just 50 minutes.β
βDue to commonalities in domain creation and Cobalt Strike configurations, we attribute this activity to Black Basta with high confidence.β
Black Basta Ransomware on Teams
ReliaQuest researchers found that, since October, Black Basta has been using Teams to make contact.
As before, they begin by bombarding an employeeβs inbox with emails. Then, instead of calling, they make contact as external Microsoft Teams users, pretending to be the IT help desk.
ReliaQuest lists examples of profile names used by Black Basta, which all use the naming convention β.onmicrosoft.comβ: securityadminhelper.onmicrosoft[.]com, supportserviceadmin.onmicrosoft[.]com, supportadministrator.onmicrosoft[.]com, and cybersecurityadmin.onmicrosoft[.]com.
They also set their profiles to a βDisplayNameβ to make themselves appear to be official support staff, along with the string βHelp Deskβ and surrounded by whitespace characters to centre the name within the chat.
Companies to have fallen victim to Black Basta so far include the UK water supplier Southern Water, insurance provider Corvus, and outsourcer Capita. Losses resulting from the ransomware attack on Capita, for example, are somewhere between $15 million and $20 million.
ReliaQuestβs Recommendations
ReliaQuest has advised companies to protect themselves against these kinds of threats by blocking all malicious domains and subdomains.
To prevent ransomware tactics that leverage Microsoft Teams and QR code phishing, communications with external users should be disabled from within Teams.
If communicating with external users is necessary, trusted domains can be added to an allowed list.
Aggressive anti-spam policies can help prevent spam from overloading inboxes.
Make sure logging is enabled for Teams to enable detection and investigations for these activities.
Current detection rules and security tools should be able to address threats like Impacket abuse and Cobalt Strike, as these are well-known ransomware.
ReliaQuest concludes: βTo defend against these threats, organisations should ensure employees remain vigilant against current social engineering tactics by providing ongoing training and awareness programs that highlight the latest attacker threats and techniques.β
βThis vigilance should be paired with a robust defence-in-depth strategy, incorporating multiple layers of security measures such as firewalls, intrusion detection systems, and regular security audits.β
This approach will help identify and neutralise potential suspicious activity before it can cause any harm.β
This is not the first time Teams has been used as a vehicle for hackers to infiltrate corporate systems. In January, Microsoft disabled the ms-appinstaller protocol handler as the default because it had found evidence that the hackers had been exploiting the software to distribute malware.
Just two percent of organisations have βmatureβ cybersecurity readiness, according toΒ Ciscoβs 2024 Cybersecurity Readiness Index released in March this year.
