October 25, 2024 at 04:57PM
Black Basta ransomware is evolving, using Microsoft Teams for social engineering attacks by impersonating IT help desk personnel. Attackers overwhelm employees’ inboxes, then contact them via Teams to gain remote access and install malicious payloads, ultimately deploying ransomware. Organizations are advised to restrict external communication in Teams and enable logging.
### Meeting Takeaways on Black Basta Ransomware Operations
**Overview of Black Basta:**
– Active since April 2022 and linked to numerous ransomware attacks globally.
– Emerged from the fragmentation of the Conti cybercrime syndicate after its shutdown in June 2022.
**Attack Methods:**
– Breaches through various means including vulnerabilities, malware botnets, and social engineering.
– Recent campaigns involve overwhelming targeted employees’ inboxes with non-malicious emails (newsletters, confirmations, etc.) to prompt contact.
**Social Engineering Tactics:**
– Attackers first contact employees via voice calls, impersonating IT help desk staff, to assist with perceived spam issues.
– Utilize tools like AnyDesk and Windows Quick Assist to gain remote access for installing harmful payloads (e.g., ScreenConnect, Cobalt Strike).
**Evolution of Tactics:**
– As of October, Black Basta has shifted to utilizing Microsoft Teams for communications.
– Attackers create fake help desk accounts under Entra ID tenants and add misleading DisplayNames to appear legitimate.
**Specifics of Microsoft Teams Attacks:**
– Conversations typically initiated in a “OneOnOne” chat.
– Use of QR codes directing to suspicious domains noted, but their purpose is currently unclear.
– Activities traced back to Russian-origin external users.
**Payloads Noted:**
– Common files observed: “AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe,” with some identified as proxy malware offering network proxies.
**Recommendations for Organizations:**
– Limit external communication on Microsoft Teams to trusted domains only.
– Enable logging, especially for suspicious chat activities, to monitor potential threats.
– Be vigilant about unusual communications and prioritize security measures to avert further exploitation.