Ransomware attackers are “vishing” organizations via Microsoft Teams
The “email bombing + posing as tech support via Microsoft Teams” combination is proving fruitful for two threat actors looking to deliver ransomware to organizations, and they seem to be ramping up their efforts.
“Sophos MDR has observed more than 15 incidents involving these tactics in the past three months, with half of them in the past two weeks,” the company’s incident responders have warned today.
The threat actors are social-engineering their way in
To set the stage for a successful impersonation via Microsoft Teams, the attackers first bombard the target employee’s email inbox with a huge number of spam messages in a very short period of time.
The employee is stumped and alarmed; they may suspect that an attack is in progress and even report the matter to their IT department. Shortly after, they receive a call from tech support via Microsoft Teams and the caller asks them to allow remote access to their system so they can solve the problem.
Unfortunately for the employee and their organization, the tech support person who reached out via Teams is actually the threat actor, and they’ve effectively open the door for them.
This tactic is not new, but Sophos’ report provided insight into why it succeeds: “As the [target] organization used a managed service provider for IT services, this did not set off red flags with the employee who accepted the [Microsoft Teams] video call [from an account named ‘Help Desk Manager’ from an external Microsoft 365 tenant].”
The priming of the target is crucial for a successful social engineering attack of this kind: Threat actors have previously impersonated HR departments warning about changes to vacation schedules to get employees to download malware, or even impersonated Microsoft to trick employees onto giving them access to their M365 accounts.
In these latest campaigns, the attackers are counting on the employees’ distress and elation at having someone reach out to help to override their critical thinking capabilities and cautiousness.
The attack is also made possible by the target organizations’ failure to change the default Microsoft Teams configuration, thus allowing users on external domains to initiate chats or meetings with internal users.
The groups’ MO
Sophos’ experts have flagged two ongoing campaigns that use this tactic and linked them two separate threat groups.
What they have in common is that they both operate their own Microsoft 365 instance, and use the email bombing tactic to prime the target employees to accept messages and calls from “tech support” via Teams.
One group – tracked as STAC5143, possibly related to FIN7 (though targeting orgs “smaller and in different business sectors than FIN7’s usual victims”) – tricks the targets into allowing a remote control session through Teams. They use this access to open a command shell and drop files and execute malware from an external SharePoint file store.
The other group – tracked as STAC5777, and using techniques, tools, and procedures similar to those used by Storm-1811 – instructs the target employee to download Microsoft’s Quick Assist remote access tool, and then proceeds to use the access to make configuration changes and deploy “a legitimate Microsoft updater with a malicious side-loading DLL that provides persistence, steals credentials, and allows for discovery of network resources.”
These attackers use RDP and Windows Remote Management to access other computers on the targeted network and, in one case, they deployed the Black Basta ransomware.
“We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts,” Sophos says.
The report includes additional technical details about the attacks and Sophos will publish associated indicators of compromise on their GitHub.
Their advice for cybersecurity defenders includes:
- Preventing or limiting which outside organizations can reached out to employees via M365 (i.e., Teams)
- Setting up policies to make sure that remote access applications can only be installed by the organization’s tech support team
- Setting up monitoring of potentially malicious inbound Teams or Outlook traffic
- Raisong employee awareness of the outlined tactics.