Black Basta operators phish employees via Microsoft Teams
Black Basta ransomware affiliates are still trying to trick enterprise employees into installing remote access tool by posing as help desk workers, now also via Microsoft Teams.
Phishing via MS Teams
Earlier this year, Rapid7 warned about Black Basta using the following social engineering trick: they flood the target employee’s email inbox with spam – typically from automated systems or services that send confirmations or notifications – and then phone them to offer assistance, while posing as their organization’s IT help desk.
Recently, though, they’ve also started using Microsoft Teams to reach out to potential victims.
“After mass email spam events, the targeted users were added to Microsoft Teams chats with external users. These external users operated from Entra ID tenants they created to pose as support, admin, or help-desk staff,” ReliaQuest researchers discovered.
Domains seen include:
- securityadminhelper.onmicrosoft[.]com
- supportserviceadmin.onmicrosoft[.]com
- supportadministrator.onmicrosoft[.]com
- cybersecurityadmin.onmicrosoft[.]com
“In almost all instances we’ve observed, the display name included the string ‘Help Desk,’ often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a ‘OneOnOne’ chat,” the researchers noted.
The ultimate goal is to get the targeted employees to install remote monitoring and management tools such as QuickAssist or AnyDesk, ostensibly to facilitate support and remediation, but actually to gain initial access to the targeted environment and install credential-grabbing malware and network mapping tools.
The targets are also directed to domains hosting pages featuring QR codes, but their function is still unknown. “It is realistically possible that the codes direct users to further malicious infrastructure,” the researchers added.
Advice for organizations
Spamming email inboxes is easily achieved via email spam services offered on the dark web. Reaching out to the targeted employees via Microsoft Teams is easy if their organization hasn’t disabled or limited communication from external tenants/domains within Teams. (Even malware delivery via Teams is possible.)
The researchers have attributed these attacks to Black Basta due to “commonalities in domain creation and Cobalt Strike configurations”. Unfortunately, they are not the only threat actor to use this avenue of attack.
ReliaQuest researchers advise organizations to disable communication from external users within Teams or to only allow contact from specific trusted domains.
They should also tweak their email anti-spam policies, keep logging enabled for Teams (to facilitate investigation), create rules for flagging specific phishing chat requests and post-exploitation activities, and educate their employees about the latest threats.
Rapid7 previously advised organizations to block the execution of unapproved RMM solutions and to have established and defined channels/methods employees can use to contact their IT department.