Black Basta attacks via MS Teams chats

The notorious Black Basta ransomware group is targeting organizations around the world. The gang was previously known for first bombarding its victims with spam emails. The hackers then pretended to be IT support to gain access to systems. This method has now apparently been further developed.

Security researchers at ReliaQuest recently discovered that Black Basta is now using Microsoft Teams chat messages to engage potential victims in conversations. In this method, too, the attackers disguise themselves as help desk employees. According to the research report, contact is sometimes made via invitations to MS Teams group chats.

In the chats, the criminals then trick users into clicking on QR codes that lead to a fraudulent website. The fraudulent sites are tailored to the target organization and can often only be distinguished from genuine company sites by carefully checking the subdomain.

The aim of the attackers, according to the researchers, is to trick MS Teams users into downloading remote monitoring and management (RMM) tools and gaining access to the target environment.

Protection against MS Teams attacks

To protect yourself from these attacks, ReliaQuest recommends the following measures:

• Companies should disable communication from external users within Teams to prevent unwanted chat messages from reaching end users.
• If communication with external users is required, certain trusted domains can be whitelisted. In addition, setting up aggressive anti-spam policies in email security tools can prevent spam from flooding end-user inboxes.
• Make sure logging is enabled for Teams, especially for the ChatCreated event, to make it easier to detect and investigate such activity.
• When searching for these help desk accounts, organizations should search for “contains” rather than a direct match.