Overview

The notorious ransomware group, Black Basta, has intensified its use of social engineering techniques to infiltrate organizations, leveraging Microsoft Teams and malicious QR codes to gain unauthorized access. The campaign, recently uncovered by ReliaQuest, demonstrates a sophisticated and evolving threat targeting various sectors.

Details

Black Basta is known for adapting its strategies to bypass traditional security measures. In their latest campaign, the attackers:

• Use Microsoft Teams chat messages to impersonate legitimate help-desk or admin staff. The threat actors operate from fraudulent Entra ID tenants, often posing as trusted support personnel.
• Deploy malicious QR codes in Teams chats, disguised as legitimate company branding. These QR codes likely redirect to hostile infrastructure designed to facilitate further social engineering or deploy remote monitoring tools.
• Utilize targeted domains and subdomains that mirror the naming conventions of their victim organizations, enhancing the legitimacy of their phishing attempts.

Recent investigations suggest that many of these malicious activities are conducted from Russia, with a noticeable pattern involving Moscow’s time zone.

In one observed case, a user received up to 1,000 phishing emails within 50 minutes, showcasing the group’s ability to overwhelm victims. These tactics ultimately aim to install Cobalt Strike and Impacket tools, enabling lateral movement within networks, leading to ransomware deployment..

Impacted Systems

Organizations using Microsoft Teams and lacking adequate controls on external communications are particularly at risk. The campaign targets multiple sectors, highlighting the need for widespread vigilance.

Mitigation Recommendations

To counter the threat posed by Black Basta, consider implementing the following security measures:

• Blocking identified malicious domains and subdomains
• Disabling communication from external users within Microsoft Teams or allowing specific trusted domains
• Setting up aggressive anti-spam policies within email security tools
• Enabling logging for Microsoft Teams, particularly the ChatCreated event, to facilitate detection and investigation
• Conduct ongoing training for employees to recognize social engineering tactics, phishing attempts, and suspicious communications

As Black Basta continues to refine its methods, maintaining a proactive cybersecurity stance is critical. Staying up-to-date on emerging threats, implementing robust security protocols, and fostering a culture of cybersecurity awareness can significantly mitigate the risk posed by sophisticated ransomware campaigns.

References

https://cybersecuritynews.com/black-basta-microsoft-teams/

Contact Us

If you have any questions or require further information on any other cybersecurity matters, please don’t hesitate to contact our dedicated team at [email protected].

If you want to see more about the SOC service we offer, please follow this link https://maidar.io/