Black Basta Ransomware Attacking Microsoft Teams With Advanced Social Engineering Tactics

Uncategorized November 27, 2024

The notorious Black Basta ransomware group has escalated its attack strategy, now leveraging Microsoft Teams as a potent tool for social engineering.

This alarming development, observed throughout October 2024, has targeted hundreds of organizations across various sectors, including finance, technology, and government contractors.

Black Basta, active since April 2022, has been known for its aggressive spam and social engineering techniques.

However, cybersecurity analysts at OP Innovate discovered their latest approach that marks a significant shift in their modus operandi:-

  1. Email Bombardment: The attack begins with a flood of non-malicious spam emails, overwhelming users’ inboxes.
  2. Microsoft Teams Impersonation: Instead of phone calls, attackers now contact victims directly through Teams chats, posing as IT help desk personnel.
  3. Remote Access Deployment: Attackers trick users into installing remote access tools like Quick Assist or AnyDesk.
  4. Network Infiltration: Once connected, the attackers deploy malware for persistent access and lateral movement.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Why Microsoft Teams is a Vulnerable Attack Vector?

The use of Microsoft Teams introduces new risks for organizations:-

  • External account spoofing: Attackers create convincing Entra ID tenants resembling legitimate IT accounts.
  • Lack of identity verification: Employees often trust messages received through Teams without verification.
  • Unrestricted remote access: Collaboration tools make it easier for attackers to convince users to install remote monitoring and management (RMM) tools.
Evolution of Black Basta Tactics (Source – OP Innovate)

The shift to Microsoft Teams allows Black Basta to bypass traditional email security tools, making it easier to deceive employees.

ReliaQuest, a leading threat research firm, has reported hundreds of incidents across industries, with damages exceeding $15 million.

To defend against these evolving threats, organizations should:-

  • Disable external communications within Teams or allow only trusted domains.
  • Enable logging and alerts for Teams ChatCreated events.
  • Strengthen anti-spam policies and educate employees on social engineering tactics.
  • Control RMM tool usage and monitor for Cobalt Strike beacons.

As Black Basta continues to refine its attack methods, organizations must remain vigilant and adapt their security measures accordingly.

The exploitation of trusted platforms like Microsoft Teams underscores the need for comprehensive security strategies that encompass all communication channels within an organization.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The post Black Basta Ransomware Attacking Microsoft Teams With Advanced Social Engineering Tactics appeared first on Cyber Security News.