The operators of the Black Basta ransomware use Microsoft Teams to penetrate companies.

The renowned ransomware group "Black Basta" has increased its use of social engineering to get illegal access to organizations' sensitive systems and data.

Black Basta, previously known for overwhelming users with email spam and posing as legitimate help-desk staff, has now advanced their techniques.

In recent incidents, the attackers have been using Microsoft Teams chat messages to communicate with targeted users, adding them to chats with external users operating from fraudulent Entra ID tenants.

These external users, posing as support, admin, or help-desk personnel, utilize display names intended to trick targeted users into thinking they are dealing with legitimate help-desk accounts.

ReliaQuest's investigation found that the attackers' operations were frequently initiated from Russia, with time zone data captured by Teams frequently mentioning Moscow.

In addition to using Microsoft Teams, Black Basta has used QR codes into their phishing strategy. Targeted individuals receive QR codes in these chats that are disguised as legally branded firm QR code graphics.

The domains utilized for this QR code phishing activity are customized to match the target organization, with subdomains following a predetermined name convention.

While the specific function of these QR codes is unknown, it is assumed that they guide users to more malicious infrastructure, setting the framework for subsequent social engineering tactics and the implementation of remote monitoring and management of RMM tools.

The Black Basta campaign poses a major threat to companies from a variety of industries and regions.

ReliaQuest has noticed a concerning level of activity from the organization, including one instance where a single user was inundated with about 1,000 emails in a span of 50 minutes.

Cobalt Strike beaconing and the use of Impacket modules for lateral movement within compromised networks are the results of malicious files downloaded via RMM tools being successfully executed.

The implementation of ransomware is most likely the final objective of these attacks.

Recommended Mitigations:
To tackle this expanding threat, ReliaQuest proposes many measures:

• Blocking known harmful domains and subdomains
  
• Disabling communication from external users using Microsoft Teams or permitting certain trusted domains
  
• Implementing stringent anti-spam strategies into email security tools
  
• Enable logging for Microsoft Teams, specifically the ChatCreated event, to facilitate detection and investigation.

Furthermore, organizations should ensure that employees remain vigilant against current social engineering tactics by providing ongoing training and awareness programs.

This vigilance should be paired with a robust defense-in-depth strategy, incorporating multiple layers of security measures such as firewalls, intrusion detection systems, and regular security audits.

As Black Basta's tactics evolve, enterprises must be proactive in their cybersecurity efforts. Organizations can greatly lower their chance of falling prey to sophisticated ransomware attacks by staying up to date on the latest threats, establishing thorough security policies, and cultivating a cybersecurity culture.

Source: Cyber Security News