Trending

Compliance & Regulations Threat Intelligence

Black Basta Ransomware Operators Exploit Microsoft Teams to Infiltrate Organizations

Black Basta
Listen to this article

The infamous ransomware group “Black Basta” has intensified its social engineering strategies to infiltrate organizations’ sensitive systems and data.

ReliaQuest, a prominent cybersecurity firm, recently uncovered a sophisticated campaign leveraging Microsoft Teams chat messages and malicious QR codes as entry points for initial access.

Black Basta, once known for bombarding users with email spam and impersonating legitimate help desk staff, has now escalated its tactics.

In recent incidents, the attackers have leveraged Microsoft Teams chat messages to engage directly with targeted users, adding them to chats with external users operating through fraudulent Entra ID tenants.

These external users, posing as support, admin, or help-desk staff, employ deceptive display names to trick targeted users into believing they’re interacting with authentic help-desk accounts.

ReliaQuest’s investigation found that many of the attackers’ actions originated in Russia, with Moscow frequently appearing in the time zone data logged by Teams.

Alongside their use of Microsoft Teams, Black Basta has also integrated QR codes into their phishing toolkit. Targeted users receive QR codes in these chats, camouflaged to look like legitimate, company-branded images.

The domains used for this QR code phishing activity are tailored to match the targeted organization, and the subdomains follow a specific naming convention.

Although the exact intent behind these QR codes is uncertain, they likely direct users to additional malicious infrastructure, setting up further social engineering attempts and enabling the deployment of remote monitoring and management (RMM) tools.

The Black Basta campaign seriously threatens organizations across various sectors and regions.

ReliaQuest has noted a troubling surge in the group’s activity, including an incident where a single user was bombarded with nearly 1,000 emails within 50 minutes.

Once malicious files are executed through RMM tools, attackers leverage Cobalt Strike beacons and Impacket modules to move laterally across compromised networks.

The ultimate objective of these attacks appears to be the deployment of ransomware.

Mitigation Tips

To counter this growing threat, ReliaQuest recommends the following measures:

  • Block known malicious domains and subdomains
  • Restrict communication from external users in Microsoft Teams or permit only specific trusted domains
  • Implement strict anti-spam policies within email security systems
  • Enable logging for Microsoft Teams, especially the ChatCreated event, to aid in detection and investigation

Additionally, organizations should keep employees alert to evolving social engineering tactics through continuous training and awareness programs.

This vigilance should be reinforced by a robust defense-in-depth strategy, incorporating multiple layers of security such as firewalls, intrusion detection systems, and regular security audits.

As Black Basta evolves its tactics, organizations must stay vigilant in their cybersecurity practices. Keeping informed on emerging threats, enforcing robust security protocols, and fostering a culture of cybersecurity awareness can greatly reduce the risk of falling victim to these advanced ransomware attacks.
Cyberkitera

Cyberkitera is a premier cybersecurity publishing platform dedicated to providing the latest insights, expert security tips, and news across all areas of cybersecurity. Our mission is to empower individuals and businesses with knowledge to prevent cyber threats, stay informed about emerging trends, and safeguard their digital assets. From industry updates to practical advice on protecting against cyber attacks, Cyberkitera is your trusted source for staying ahead in the ever-evolving world of cybersecurity.

view all posts

Related Posts

Post Comment

You May Have Missed