Black Basta Leverages Microsoft Teams to Impersonate IT Support: A New Tactic in Cybercrime
Black Basta, an active ransomware group since April 2022, has recently adapted its tactics to exploit Microsoft Teams as a platform for impersonating corporate IT support. This alarming development, documented by cybersecurity firm ReliaQuest, underscores a significant evolution in the group’s strategies aimed at infiltrating business networks and gaining unauthorized access to sensitive information.
The Evolution of Black Basta’s Tactics
Historically, Black Basta has employed a range of social engineering techniques to execute their attacks. Their earlier methods involved inundating targeted employees with non-malicious emails—such as newsletters, sign-up confirmations, and verification requests—designed to overwhelm inboxes and create a sense of urgency. This tactic not only frustrated users but also set the stage for follow-up phone calls, where attackers would pose as IT support, offering assistance with the spam issue and ultimately gaining access to the employee’s device.
However, recent observations indicate a strategic pivot. Instead of relying solely on phone calls, Black Basta has begun reaching out to employees directly through Microsoft Teams, utilizing external user accounts to masquerade as the IT help desk. This shift allows attackers to leverage a familiar corporate platform, enhancing their credibility and increasing the likelihood that targets will accept their assistance.
The Mechanics of the Attack
In their latest campaigns, Black Basta operatives have been observed sending QR codes via Microsoft Teams chat messages, directing users to suspicious domains such as qr-s1[.]com. While the exact purpose of these QR codes remains unclear, researchers have noted that the external Microsoft Teams accounts involved in these communications are linked to Russia, with consistent Moscow time zone data associated with the accounts.
According to the ReliaQuest report, these external users often set their profiles to display names designed to mislead targeted employees into believing they were communicating with legitimate help-desk personnel. The attackers frequently use names that include the string "Help Desk," often surrounded by whitespace characters to center the name within the chat, further enhancing the illusion of authenticity.
The primary objective of these interactions is to manipulate the target into installing remote support tools like AnyDesk or activating Quick Assist. Once these tools are installed, Black Basta can gain full control over the employee’s device, allowing them to infiltrate corporate systems with ease.
Tools of the Trade
In addition to AnyDesk, researchers have identified a file named AntispamConnectUS.exe on VirusTotal, flagged as SystemBC—a proxy malware previously associated with Black Basta’s operations. Once attackers gain access to a device, they can deploy advanced tools such as Cobalt Strike, which provides them with comprehensive control over the compromised system. This access enables them to push further into the network, potentially leading to significant data breaches and financial losses.
Recommendations for Organizations
In light of these evolving tactics, cybersecurity experts recommend that organizations take proactive measures to mitigate the risks associated with Black Basta’s operations. ReliaQuest advises companies to restrict external communication on Microsoft Teams, permitting it only from trusted domains when necessary. Additionally, enabling logging for specific events, such as ChatCreated, can help detect suspicious activities within Teams, providing an extra layer of security oversight.
Organizations should also invest in employee training to raise awareness about social engineering tactics and the importance of verifying the identity of anyone requesting access to sensitive information or systems. By fostering a culture of cybersecurity vigilance, businesses can better protect themselves against the growing threat posed by groups like Black Basta.
Conclusion
The adaptation of Black Basta to leverage Microsoft Teams for impersonating IT support marks a concerning trend in the landscape of cybercrime. As ransomware groups continue to evolve their tactics, it is imperative for organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing robust security measures and fostering awareness among employees, businesses can better defend against these sophisticated attacks and safeguard their critical assets.