Users were targeted via Teams, with attackers posing as corporate help desks.
Affiliates of the Black Basta ransomware gang have leveraged Microsoft Teams as part of its social engineering attacks.
ReliaQuest researchers observed Black Basta affiliates evolving their tactics in October by now utilizing Microsoft Teams, reported Bleeping Computer. The attack involves the attackers posing as corporate help desks and contacting employees to assist them with an ongoing spam attack.
This involves the threat actors firstly overwhelming an employee's inbox with email, and contacting employees through Microsoft Teams using accounts created under Entra ID tenants that are named to appear to be help desk
Attackers lured targets into downloading AnyDesk or opening Quick Assist to facilitate the deployment of the payload, with one previously identified as the SystemBC malware previously leveraged by Black Basta. Additional network compromise would then be enabled by the installation of Cobalt Strike in the targeted machine, to provide continued remote access to the user's corporate device.
With access gained to the corporate network, they would spread laterally to other devices while elevating privileges, stealing data, and ultimately deploying the ransomware encryptor.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
