"How Black Basta Ransomware Exploits Microsoft Teams: IT Support Impersonation Tactics to Breach Networks"

"How Black Basta Ransomware Exploits Microsoft Teams: IT Support Impersonation Tactics to Breach Networks"

Black Basta Ransomware Poses as IT Support on Microsoft Teams

Source: BleepingComputer

Overview of the Threat

The Black Basta ransomware operation has shifted its tactics to exploit Microsoft Teams, masquerading as corporate help desks to target employees under the guise of resolving spam issues. This marks a significant evolution in their social engineering tactics.

Operational Background

  • Active since April 2022, Black Basta has conducted numerous attacks on global corporations.
  • Emerging from the shutdown of the Conti cybercrime group, Black Basta has taken on new forms, using diverse infiltration methods.

New Tactics Using Microsoft Teams

  • The ransomware attackers initially overload employees' inboxes with benign emails, then contact them via Teams, impersonating IT support.
  • They create fake accounts under Entra ID, naming them to appear as help desk contacts.
  • Common display names include variations of "Help Desk" to mislead the target.

Execution of Attacks

To gain control over corporate networks, the attackers use various methods:

  • Engaging in voice social engineering to persuade victims to install remote access tools such as AnyDesk.
  • Using Windows Quick Assist to gain remote access to devices.
  • Post-infection, they deploy scripts and malware like Cobalt Strike, enhancing their foothold within the network.

Recommendations for Organizations

To mitigate this threat, organizations should:

  • Restrict communications from external Teams users and permit only trusted domains.
  • Enable logging to monitor unusual chat activity, especially for new conversations.