The notorious ransomware group known as “Black Basta” has escalated its social engineering tactics to gain unauthorized access to organizations’ sensitive systems and data.
ReliaQuest, a leading cybersecurity firm, recently uncovered a sophisticated campaign involving the use of Microsoft Teams chat messages and malicious QR codes to facilitate initial access.
Black Basta, previously known for overwhelming users with email spam and posing as legitimate help-desk staff, has now advanced their techniques.
In recent incidents, the attackers have been using Microsoft Teams chat messages to communicate with targeted users, adding them to chats with external users operating from fraudulent Entra ID tenants.
Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here
These external users, masquerading as support, admin, or help-desk staff, use display names designed to deceive targeted users into believing they are communicating with genuine help-desk accounts.
ReliaQuest’s investigation revealed that the attackers’ actions often originated from Russia, with time zone data logged by Teams regularly featuring Moscow.
In addition to the use of Microsoft Teams, Black Basta has introduced QR codes into their phishing arsenal. Targeted users receive QR codes within these chats, disguised as legitimately branded company QR code images.
The domains used for this QR code phishing activity are tailored to match the targeted organization, with subdomains following a specific naming convention.
While the exact purpose of these QR codes remains unclear, it is suspected that they direct users to further malicious infrastructure, laying the groundwork for follow-up social engineering techniques and the deployment of remote monitoring and management of RMM tools.
The Black Basta campaign poses a significant threat to organizations across diverse sectors and geographies.
ReliaQuest has observed an alarming intensity in the group’s activities, with one incident involving approximately 1,000 emails bombarding a single user within just 50 minutes.
Successful execution of malicious files downloaded through RMM tools has led to Cobalt Strike beaconing and the use of Impacket modules for lateral movement within compromised networks.
The ultimate goal of these attacks is almost certainly the deployment of ransomware.
Recommended Mitigations
To combat this evolving threat, ReliaQuest recommends several measures:
- Blocking identified malicious domains and subdomains
- Disabling communication from external users within Microsoft Teams or allowing specific trusted domains
- Setting up aggressive anti-spam policies within email security tools
- Enabling logging for Microsoft Teams, particularly the ChatCreated event, to facilitate detection and investigation
Furthermore, organizations should ensure that employees remain vigilant against current social engineering tactics by providing ongoing training and awareness programs.
This vigilance should be paired with a robust defense-in-depth strategy, incorporating multiple layers of security measures such as firewalls, intrusion detection systems, and regular security audits.
As Black Basta continues to adapt their tactics, organizations must remain proactive in their cybersecurity efforts. By staying informed about the latest threats, implementing comprehensive security protocols, and fostering a culture of cybersecurity awareness, organizations can significantly reduce the risk of falling victim to these sophisticated ransomware attacks.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here