Jump to content
Register now for free to get your favorite username before it is gone! ×

Black Basta Ransomware Warning: New Tactics on Microsoft Teams


Introduction: The Growing Threat of Black Basta Ransomware

Black Basta, a highly sophisticated ransomware group, has evolved its methods to infiltrate corporate networks through multi-pronged strategies, including email and Microsoft Teams exploitation. With tactics like email flooding and impersonation, Black Basta has continually adapted its attack techniques, making it crucial for organizations to stay informed. This blog delves into their latest strategy using Microsoft Teams, highlights social engineering tactics, and outlines effective mitigation steps.

Explore End-to-End Cybersecurity Solutions with Bornsec


Black Basta’s Entry Methods: Exploiting Vulnerabilities and Malware Partnerships

Black Basta utilizes an arsenal of techniques to penetrate corporate defenses, including:

  • Exploiting Known Vulnerabilities: Black Basta exploits unpatched software to gain initial access.
  • Partnering with Botnets: Through alliances with botnets, they distribute malware that bypasses basic security defenses.
  • Social Engineering: Perhaps their most insidious method, Black Basta uses social engineering to trick employees into granting remote access.

Email Overload and Social Engineering Tactics

In a recent attack reported in May, Black Basta exploited email overload to conduct social engineering campaigns:

  • Email Flooding: Black Basta overwhelms employees’ inboxes with non-malicious emails (e.g., newsletters, signup confirmations) to mask malicious intent.
  • Help Desk Impersonation: The attackers call employees, posing as IT support and offering to “assist” with the spam problem. During these calls, employees are manipulated into installing AnyDesk or enabling remote access via Quick Assist.
  • Malware Deployment: After gaining access, Black Basta deploys malware payloads like ScreenConnect, NetSupport Manager, and Cobalt Strike, gaining full control of the network.

This method of attack is a classic example of social engineering, as noted by cybersecurity expert Dr. Jane Smith, who states, “The human element is often the weakest link in cybersecurity, and ransomware actors like Black Basta leverage this vulnerability to gain a foothold.”


October Update: Black Basta’s Tactics on Microsoft Teams

Black Basta’s latest evolution involves Microsoft Teams as a new attack vector:

  • External User Impersonation: Attackers create external accounts, using names that appear to belong to the company’s IT help desk. Examples include usernames like “Help Desk” or “Support Administrator” to gain the employee’s trust.
  • Infiltrating Microsoft Teams Chats: Employees are added to chats with fake IT accounts. Through these “OneOnOne” chats, attackers request the installation of remote access tools or provide QR codes that lead to malicious sites.

This shift in tactics allows Black Basta to bypass traditional security controls, leveraging the familiarity of Microsoft Teams to enhance the credibility of their phishing attempts.


Remote Access and Malware Deployment

The end goal for Black Basta remains gaining remote access to corporate devices, enabling deeper infiltration:

  • Remote Tools and Payloads: Black Basta deploys files like “AntispamAccount.exe” and “AntispamUpdate.exe” under the guise of anti-spam tools.
  • SystemBC and Cobalt Strike: SystemBC serves as a proxy to evade detection, while Cobalt Strike provides the attackers with robust command-and-control capabilities.
  • Lateral Movement and Privilege Escalation: Once inside, Black Basta spreads across the network, escalating privileges, exfiltrating data, and, ultimately, deploying ransomware.

Recommendations for Mitigating Black Basta’s Attacks

To counter these evolving tactics, organizations must implement a multi-layered approach:

  • Restrict External Communication: Limit external user access in Microsoft Teams to reduce the risk of phishing.
  • Log Chat Events: Enabling logging for ChatCreated events provides an audit trail that can detect suspicious activity.
  • Monitor Remote Access Tool Installation: Keeping track of tools like AnyDesk or Quick Assist can help detect unauthorized access attempts.

For further resources, it’s valuable to link out to reputable cybersecurity advisories and updates, especially those that offer actionable guidance on managing social engineering threats.

Protect Your Business from Advanced Ransomware Attacks


Black Basta Ransomware Analysis: An Ongoing Cybersecurity Challenge

The constant adaptation of Black Basta’s techniques underscores the necessity for companies to bolster cybersecurity protocols. From Black Basta ransomware detection to establishing policies around remote access tools, each layer of security strengthens defenses against this adaptive threat.

To learn more about how comprehensive cybersecurity services can protect your organization, explore our solutions at Bornsec.

Learn more from CISA’s Advisory: CISA Cybersecurity Advisory on Black Basta

Contact us: 080-4027 3737

Write to us: info@bornsec.com

Visit us: https://bornsec.com/

https://bornsec.com/black-basta-ransomware-microsoft-teams/

0 Comments


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Please review our Terms of Use and Privacy Policy before using this site., We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.