The Black Basta ransomware group is targeting internal platforms, including Microsoft Teams, to exploit employees’ trust in their company’s communication channels.
Black Basta takes advantage of employees’ trust in internal communication tools to gain unauthorised access to critical systems and data, focusing on trusted platforms like Teams.
According to reports, this group formed following the mid-2022 fall of the Conti cybercrime syndicate. The group uses a variety of attack techniques, including as system vulnerability exploitation, malware botnet collaboration, and deceitful social engineering.
Black Basta started a persistent email campaign that stopped email productivity by bombarding employees’ inboxes with negligible messages like newsletters and sign-up confirmations.
The attackers would then call the overwhelmed employees, pretending to be IT support, and offer help with their spam issues. During these conversations, attackers tricked users into installing remote access programs like AnyDesk or Windows Quick Assist.
After gaining access, the attackers used scripts to install additional software, including ScreenConnect, NetSupport Manager, and Cobalt Strike. This allowed attackers to maintain control over the device, spread laterally through the network, escalate privileges, exfiltrate data, and ultimately deploy ransomware.
How Black Basta Exploits Microsoft Teams for Cyber Deception?
The main goal of corporate security for many years has been to prevent external attacks. To protect against outside threats, email phishing filters, online monitoring, and firewalls are configured. But with Microsoft Teams, staff members often believe that internal communications are inherently secure and accept requests from this tool.
Black Basta has recently spread its strategy by communicating with specific individuals using Microsoft Teams. Using fake Entra ID tenants, attackers add victims to chats with external users masquerading as help desk personnel.
According to ReliaQuest report:
These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account. In almost all instances we’ve observed, the display name included the string “Help Desk,” often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.
In addition to Microsoft Teams, Black Basta has recently used QR codes into its phishing strategies. These codes are sent to targeted users in chat conversations under the guise of legitimate, business-branded images.
The QR code phishing domains are designed to seem like the target company and use a certain subdomain name pattern. Although the actual use of these QR codes is unknown, it is assumed that they direct visitors to more malicious websites, initiate additional social engineering efforts, and perhaps deploy remote monitoring and management (RMM) tools.
Platforms like Microsoft Teams allow attackers to directly communicate with employees, making social engineering tactics significantly more effective than traditional email phishing.
Attackers can lead employees through complex processes while acting as IT support, enabling them real-time access to high-privilege systems. This direct communication enables attackers to change their approach based on employee replies, improving the chance of success as compared to one-time phishing emails.
According to ReliaQuest’s investigations, much of Black Basta’s operations originate in Russia. Microsoft Teams logs often display time zones in Moscow. This demonstrates the dynamic character of social engineering attacks.
Attackers use human trust and communication channels to get access to networks. As Black Basta’s techniques change, companies need to upgrade employee’s knowledge and reinforce network security to avoid becoming victims to these deceptive strategies.
It is important to have comprehensive information and collaboration standards across Teams, SharePoint, and OneDrive to protect sensitive data. Additionally, it is imperative that employees receive frequent training on identifying social engineering techniques.
Furthermore, policies should be routinely evaluated and updated to address evolving privacy concerns, new data types, and an expanding range of collaborators.
Reducing an organisation’s vulnerability to cyber attacks should be a priority in all cyber-risk decision-making, especially as we enter an era of increased attack sophistication and complexity.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Our comprehensive solutions provide you with all the tools and strategies needed to identify and address vulnerabilities before they can be exploited. Book a demo today to see how it can work for you.
