Subj : Ransomware crew pose as Microsoft Teams IT support to steal login To : All From : TechnologyDaily Date : Mon Oct 28 2024 12:00:05 Ransomware crew pose as Microsoft Teams IT support to steal logins and passwords Date: Mon, 28 Oct 2024 11:55:59 +0000 Description: Black Basta scammers posing as IT helpdesk on Microsoft Teams to deploy ransomware. FULL STORY ====================================================================== Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launching ransomware campaigns by involving Microsoft Teams. The most recent technique is highly targeted, and involves using social engineering to 'spear-spam' an employee's email inbox with an overwhelming amount of junk, to the point where the inbox simply isnt usable. The attackers would then phone the employee and pretend to be the organizations IT helpdesk, offering assistance with the spam affecting the video conferencing platform. Spear-spam While helping the employee, the attackers will gain control of the victims device by installing the AnyDesk remote desktop software , or by launching the Windows Quick Assist tool, before deploying payloads that infect the device with ScreenConnect, NetSupport Manager, and Cobalt Strike. Through these payloads, the attackers would launch their typical ransomware attack. However, in Black Bastas latest twist to this technique, the group will instead contact the employee through Microsoft Teams using an external account set up to mimic the organizations IT helpdesk using Entra ID tenants that appear legitimate if only glanced at. On further inspection however, they are clearly fake. ReliaQuest , who observed the shift in tactic earlier this month, explained that Black Basta were using tenants appended with *.onmicrosoft.com such as securityadminhelper.onmicrosoft[.]com or Supportserviceadmin.onmicrosoft[.]com. The attackers would also use the screen name Help Desk positioned to the center of the chat using whitespace characters, and added to a OneOnOne chat. The attackers would then continue with the attack, deploying payloads within files named AntispamAccount.exe, AntispamUpdate.exe, or AntispamConnectUS.exe. ReliaQuest also observed a significant proportion of the fake Teams accounts originating from Russia, with many having time zone data mapped to Moscow. ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and chat logging should be enabled. Black Basta has been blamed for over 500 ransomware attacks worldwide, and has established itself as one of the most prolific ransomware-as-a-service providers. The group emerged early in 2022, and is likely composed of fragments of the Conti ransomware group that collapsed in the same year. More from TechRadar Pro Take a look at the best malware removal The evolution of cybercrime: How ransomware became the weapon of choice These are the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/ransomware-crew-pose-as-microsoft-teams-it-suppo rt-to-steal-logins-and-passwords --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .