Users were targeted via Teams, with attackers posing as corporate help desks.
Affiliates of the Black Basta ransomware gang have leveraged Microsoft Teams as part of its social engineering attacks.
ReliaQuest researchers observed Black Basta affiliates evolving their tactics in October by now utilizing Microsoft Teams, reported Bleeping Computer. The attack involves the attackers posing as corporate help desks and contacting employees to assist them with an ongoing spam attack.
This involves the threat actors firstly overwhelming an employee's inbox with email, and contacting employees through Microsoft Teams using accounts created under Entra ID tenants that are named to appear to be help desk
Attackers lured targets into downloading AnyDesk or opening Quick Assist to facilitate the deployment of the payload, with one previously identified as the SystemBC malware previously leveraged by Black Basta. Additional network compromise would then be enabled by the installation of Cobalt Strike in the targeted machine, to provide continued remote access to the user's corporate device.
With access gained to the corporate network, they would spread laterally to other devices while elevating privileges, stealing data, and ultimately deploying the ransomware encryptor.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
