1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Ransomware crew pose as Microsoft Teams IT support to steal login

    From TechnologyDaily@1337:1/100 to All on Mon Oct 28 12:00:05 2024
    Ransomware crew pose as Microsoft Teams IT support to steal logins and passwords

    Date:
    Mon, 28 Oct 2024 11:55:59 +0000

    Description:
    Black Basta scammers posing as IT helpdesk on Microsoft Teams to deploy ransomware.

    FULL STORY ======================================================================

    Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launching ransomware campaigns by involving Microsoft Teams.

    The most recent technique is highly targeted, and involves using social engineering to 'spear-spam' an employee's email inbox with an overwhelming amount of junk, to the point where the inbox simply isnt usable.

    The attackers would then phone the employee and pretend to be the organizations IT helpdesk, offering assistance with the spam affecting the video conferencing platform. Spear-spam

    While helping the employee, the attackers will gain control of the victims device by installing the AnyDesk remote desktop software , or by launching
    the Windows Quick Assist tool, before deploying payloads that infect the device with ScreenConnect, NetSupport Manager, and Cobalt Strike. Through these payloads, the attackers would launch their typical ransomware attack.

    However, in Black Bastas latest twist to this technique, the group will instead contact the employee through Microsoft Teams using an external
    account set up to mimic the organizations IT helpdesk using Entra ID tenants that appear legitimate if only glanced at. On further inspection however,
    they are clearly fake.

    ReliaQuest , who observed the shift in tactic earlier this month, explained that Black Basta were using tenants appended with *.onmicrosoft.com such as securityadminhelper.onmicrosoft[.]com or

    Supportserviceadmin.onmicrosoft[.]com. The attackers would also use the
    screen name Help Desk positioned to the center of the chat using whitespace characters, and added to a OneOnOne chat. The attackers would then continue with the attack, deploying payloads within files named AntispamAccount.exe, AntispamUpdate.exe, or AntispamConnectUS.exe.

    ReliaQuest also observed a significant proportion of the fake Teams accounts originating from Russia, with many having time zone data mapped to Moscow. ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and
    chat logging should be enabled.

    Black Basta has been blamed for over 500 ransomware attacks worldwide, and
    has established itself as one of the most prolific ransomware-as-a-service providers. The group emerged early in 2022, and is likely composed of fragments of the Conti ransomware group that collapsed in the same year. More from TechRadar Pro Take a look at the best malware removal The evolution of cybercrime: How ransomware became the weapon of choice These are the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/ransomware-crew-pose-as-microsoft-teams-it-suppo rt-to-steal-logins-and-passwords


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)