Threat Bulletin

Alert essentials:

Microsoft Teams is being used to disseminate ransomware.

Restrict Teams to trusted domains and inform users of phishing and quishing attacks by Black Basta.

Email Team

Detailed threat description:

The Black Basta ransomware group has amended its technique for infiltrating hospital networks by posing as IT support.

Previously, the bad actors called the IT helpdesk, but now the focus has been moved to compromise via Microsoft Teams.

Attackers first flood a user’s email box with non-malicious emails like newsletters and sign-up confirmations. Then, Black Basta initiates contact through Microsoft Teams, pretending to be a legitimate IT staff member.

The threat actors request employees install remote access tools like AnyDesk or Quick Assist so they may help with troubleshooting.

To further convince users of their legitimacy, Black Basta’s newest campaign incorporates Quishing or the use of malicious QR codes distributed as if they contain legitimate IT troubleshooting files.

Once access is granted, malicious payloads leading to system infection and compromise are deployed. Finally, Cobalt Strike is utilized for lateral network distribution of ransomware files.

These campaigns are still evolving, and Black Basta’s post-exploitation techniques remain consistent with previous attacks. Therefore, networks can be monitored with existing security tools and detection rules.

However, this dangerous group can rapidly change Tactics, Techniques, and Procedures (TTPs) for their initial network access. By altering their TTPs for initial network access, the bad actors are more likely to confuse users and network administrators.

Impacts on healthcare organizations:

Healthcare organizations are prime targets due to their critical operations and sensitive data.

Recent major data breaches have resulted in massive amounts of personal and organizational data circulating on the dark and deep web.

Threat actors can use this data, making it straightforward to assemble a convincing narrative that quickly erupts into a network intrusion.

Successful network disruptions can halt patient care, compromise sensitive medical records, and lead to costly ransom demands.

Stay vigilant and continually strengthen network defenses.

Affected products / versions:

IOCs

These are some of the tenants used by attackers:

• cybersecurityadmin.onmicrosoft[.]com
• securityadminhelper.onmicrosoft[.]com
• supportserviceadmin.onmicrosoft[.]com
• supportadministrator.onmicrosoft[.]com

Some of the payloads being deployed are:

• “AntispamAccount.exe”
• “AntispamUpdate.exe”
• “AntispamConnectUS.exe”

Engineering recommendations:

• Limit external communication on Teams by restricting external chats to only trusted domains
• Ensure policies prevent unauthorized Teams’ communications
• Implement conditional access controls to authenticate and restrict unknown users
• Conduct regular training to ensure staff recognize phishing attempts and social engineering tactics
• Highlight the danger of unsolicited IT support contacts, especially from unknown or external sources
• Enable detailed logging for all communications, especially from external sources, and monitor for unusual activity on Microsoft Teams
• Investigate attempts to install remote access tools like AnyDesk, Quick Assist, or other unauthorized software
• Ensure strong endpoint security solutions are in place to detect and block remote access tools and malware

References:

• https://www.scworld.com/brief/microsoft-teams-exploited-in-latest-black-basta-attacks
• https://www.helpnetsecurity.com/2024/10/28/black-basta-operators-phish-employees-via-microsoft-teams/
• https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/