The Black Basta ransomware group has stepped up its tactics, leveraging Microsoft Teams to deceive employees and gain unauthorised access to corporate networks. Traditionally known for email-based attacks, the group is now using Microsoft Teams to impersonate corporate IT help desk representatives, exploiting employees’ trust to trick them into installing remote access tools like AnyDesk. With these tools, attackers gain a foothold in the network, facilitating the installation of malicious payloads, including Cobalt Strike, for further network infiltration. This evolution in strategy highlights the adaptability of ransomware groups and the risks organisations face from overlooked communication channels.

The latest wave of attacks involves a combination of inbox flooding with benign spam emails and direct outreach through Microsoft Teams. Impersonating help desk personnel, attackers use deceptive account names and profiles designed to look like internal support to gain employees’ trust. Once a target is engaged, attackers persuade them to install remote access software, allowing attackers to deploy ransomware. The presence of these intrusions underscores the need for enhanced vigilance and security on platforms like Microsoft Teams.

Key Events

• Microsoft Teams Exploitation: Black Basta affiliates initiate direct communication with targets on Teams, posing as help desk staff.
• Spam-Based Social Engineering: Attackers flood employees’ email inboxes with non-malicious spam, creating frustration and setting up their approach as “IT help.”
• Remote Access Tool Installation: Employees are tricked into installing AnyDesk or opening Quick Assist, giving attackers control of their devices.
• Payload Deployment: Attackers deploy malware with filenames like "AntispamAccount.exe," which includes known Black Basta tools such as SystemBC and Cobalt Strike.
• Lateral Movement: Once inside the network, attackers escalate privileges, steal data, and deploy ransomware encryptors.

The attack highlights the increasing exploitation of internal communication tools and the need for comprehensive controls. Microsoft Teams should not be overlooked in organisational security policies. Restricting external user access on Teams, combined with strict logging and monitoring, can help identify and block unauthorised communications. A strong focus on employee training is essential to recognize and report suspicious contact, even from apparently internal sources.

Prevention Recommendations

• Limit External Communications: Restrict Teams communications to trusted, verified domains, and enable logging to track unusual chat activities.
• Employee Awareness Programs: Regularly update staff on common social engineering techniques, emphasising caution even on trusted platforms.
• Implement Remote Access Safeguards: Require IT support approval for all remote access software installations and block unauthorised tools.

As cybercriminals evolve their tactics, so too must organisations’ defences. The Black Basta ransomware group's shift to Teams-based social engineering reflects the need for a broader security net covering internal communication platforms. Strengthening Teams security, enhancing user awareness, and tightening controls around remote access tools are key steps to mitigating these sophisticated attacks.

Source and further reading.

Staff, S. (2024, October 28). Microsoft Teams exploited in latest Black Basta attacks. SC Media. https://www.scworld.com/brief/microsoft-teams-exploited-in-latest-black-basta-attacks

Abrams, L. (2024, October 25). Black Basta ransomware poses as IT support on Microsoft Teams to breach networks. BleepingComputer. https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/

Abrams, L. (2022, April 28). New Black Basta ransomware springs into action with a dozen breaches. BleepingComputer. https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/