October 25, 2024 at 05:12PM
Black Basta ransomware has shifted its social engineering tactics to Microsoft Teams, impersonating IT help desks to exploit employees. After inundating inboxes with emails, attackers contact users directly via Teams. Their goal is to trick employees into installing remote access tools, risking corporate networks. Organizations are advised to restrict external communication.
### Meeting Takeaways on Black Basta Ransomware Operations
1. **Transition to Microsoft Teams**:
– Black Basta ransomware operation has shifted its social engineering tactics to Microsoft Teams, impersonating corporate help desks to assist employees overwhelmed by spam attacks.
2. **Background on Black Basta**:
– Active since April 2022, the group is linked to hundreds of attacks globally.
– Emerged from the shutdown of the Conti cybercrime syndicate in June 2022.
3. **Attack Methods**:
– Breaches occur via vulnerabilities, partnerships with malware botnets, and social engineering techniques.
– The initial email-based attack strategy involved overwhelming targeted employees’ inboxes with benign but numerous emails.
4. **Initial Attack Steps**:
– Attackers call employees, posing as IT help desk personnel to assist with spam issues, coaxing the user into installing remote support tools such as AnyDesk or Quick Assist.
– These tools enable attackers to install various payloads like ScreenConnect, NetSupport Manager, and Cobalt Strike for continued access.
5. **Evolving Tactics** (October 2023):
– New tactics involve contacting employees directly through Microsoft Teams, instead of via phone.
– External user accounts created to resemble help desk profiles, using names suggestive of IT support, enhancing deception.
– Notable tactics include sending QR codes that link to unknown domains.
6. **Origin of Attackers**:
– External Microsoft Teams users have been identified originating from Russia, with Moscow time zone data frequently noted.
7. **Payloads Identified**:
– Recent installations by attackers include files named “AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe,” with some linked to previous Black Basta activity.
8. **Recommendations for Organizations**:
– Restrict communication from external users in Microsoft Teams, only allowing trusted domains if necessary.
– Enable logging, especially for the ChatCreated event, to track and identify suspicious chat activities.
### Action Items
– Enhance security protocols for communication tools like Microsoft Teams.
– Provide training to employees on identifying social engineering tactics.
– Regularly review and update security measures against evolving ransomware threats.