Security researchers from ReliaQuest has uncovered an attack campaign in which the Black Basta ransomware group have been performing social engineering attacks to gain access to victims’ computers by spamming email inboxes and then sending malicious messages on the Microsoft Teams to resolve the issue.
The attackers pose as IT support staff and message potential victims on Microsoft Teams chats using the .onmicrosoft.com domain. The threat actors will send legitimate-looking but malicious links or QR codes in the chat. This may trick victims into installing remote administration application like AnyDesk or QuickAssist onto their devices and ask victims to grant them access to their computers.
It is unclear from when the threat actors started using QR code. The researcher tracked the domain details to find older domains created in early October that follow the same naming convention. This suggests they were almost certainly created by the same threat actor with the intention of using QR codes. This indicates that the threat actor likely started using or was planning to use this approach since early October.
Unfortunately, tech support scams have been a primary attack strategy for cybercriminals for years. Be wary of any person or entity that contacts you claiming to be customer support.
Black Basta reportedly sells its ransomware and email spam services on the dark web and has been active since at least as early as 2022. The group previously breached US healthcare provider Ascension earlier this year. One of the biggest breaches
Mitigations
- Disable messages or calls from external or unknown users in enterprisemessaging application
- Ensure email is filtering out spam properly and mark suspicious emails as spam.
- On Microsoft Outlook, you can choose from multiple different spam filtering levels. Or, if you’re using Gmail, you can set up custom spam filters yourself.
For more information, refer to the blog
Nice information nice article 🌺🌺