ReliaQuest researchers observed Black Basta affiliates relying on Microsoft Teams to gain initial access to target networks.
ReliaQuest researchers warn that Black Basta ransomware affiliates switched to Microsoft Teams, posing as IT support to deceive employees into granting access.
The BlackBasta ransomware operators were spotted posing as corporate help desks and contacting employees to help them mitigate an ongoing spam attack.
Threat actors flood an employee’s inbox with emails, then impersonate IT support on Microsoft Teams to offer “help” with the spam issue.
“Their previous approach involved overwhelming users with email spam, prompting them to create a legitimate help-desk ticket to resolve the issue. The attacker would then contact the end user, posing as the help desk, to respond to the ticket.” reads the report published by ReliaQuest. “In more recent incidents, attackers have advanced their tactics by using Microsoft Teams chat messages to communicate with targeted users and incorporating malicious QR codes to facilitate initial access.”
The threat actors attempt to trick users into downloading remote monitoring and management (RMM) tools like AnyDesk, and once gained initial access to the targeted environment to deploy ransomware.
The researchers pointed out that the volume of the message sent to the potential victims is very high; in one instance they observed approximately 1,000 emails sent to a single user within just 50 minutes.
The attackers added the targeted users to Microsoft Teams chats with external users. These external users operated from Entra ID tenants they created using a naming convention to pose as support, admin, or help-desk staff.
Below are some of the tenants used by attackers:
- cybersecurityadmin.onmicrosoft[.]com
- securityadminhelper.onmicrosoft[.]com
- supportserviceadmin.onmicrosoft[.]com
- supportadministrator.onmicrosoft[.]com
“These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account.” continues the report. “In almost all instances we’ve observed, the display name included the string “Help Desk,” often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.”
Threat actors also sent QR codes in the chats as part of Quishing attempts.
The experts highly confidently attributed the attack to Black Basta based on commonalities in domain creation and Cobalt Strike configurations.
The experts observed that the operations of the external users generally originated from Russia, with the Moscow time zone.
After gaining access, attackers deploy malicious files, including proxy malware and Cobalt Strike, to deepen network infiltration. Experts advise restricting external Microsoft Teams communications and logging suspicious chat activities for improved security.
“This campaign is still evolving, with Black Basta demonstrating their ability to rapidly adapt their TTPs, likely to thwart defenders and buy themselves more time in networks to further their attacks.” concludes the report. “While their initial access methods have changed, their post-exploitation activities are likely to remain consistent with previously observed patterns, which are covered by existing security tools and detections rules.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Microsoft Teams)