The Black Basta ransomware penetrates corporate networks by posing as IT support on Microsoft Teams.

 

Black Basta ransomware cover

The well-known ransomware gang Black Basta has been active since April 2022 and uses more complex social engineering techniques, such as posing as Microsoft Teams IT help to compromise business networks. Black Basta first gained notoriety by using voice-based phishing and email to target businesses all around the world. However, their most recent strategy makes use of corporate communication channels, which presents fresh cybersecurity risks.

Background and Evolution of Black Basta

Shortly after the Conti cybercrime syndicate was disbanded in June 2022 due to multiple high-profile data breaches, Black Basta came into being. Some former Conti members are thought to have founded Black Basta, while others probably joined other groups. Since then, this ransomware group has established a reputation for effectively breaking into high-value business targets by combining social engineering and technical hacking techniques.

The ransomware gang uses a variety of techniques, including as taking advantage of software flaws, using malware botnets, and using social engineering techniques that have been carefully planned. Cybersecurity companies Rapid7 and ReliaQuest revealed in May that Black Basta had started a novel campaign that sent thousands of innocuous yet overwhelming emails to staff members. Then, pretending to be IT help desk professionals, the attackers called the impacted employees to offer “support” in handling the spam. In order to obtain control over their machines, they persuaded staff members to allow remote access during these calls by installing programs like AnyDesk or turning on Windows Quick Assist. After gaining access, the attackers used programs like ScreenConnect, NetSupport Manager, and Cobalt Strike to investigate additional networked systems, increase their level of privilege, and release the final ransomware payload.

New Tactic: Targeting Employees on Microsoft Teams

ReliaQuest reported in October 2023 that Black Basta affiliates had changed their approach and were now approaching staff members using Microsoft Teams rather than by phone. Similar to earlier efforts, the attackers started these exchanges by flooding the targeted employee’s inbox with harmless spam emails. However, instead of making phone calls, attackers now pretended to be from the IT help desk and addressed staff members on Microsoft Teams as external users. The attackers created profiles under Entra ID tenants with names like these to increase credibility:

  • securityadminhelper.onmicrosoft.com
  • supportserviceadmin.onmicrosoft.com
  • cybersecurityadmin.onmicrosoft.com

In each instance, they created usernames that looked like authentic help desk accounts, frequently enclosing “Help Desk” in display names with spaces to give them a centered, authoritative appearance. “OneOnOne” chats were usually added to targeted employees, giving the impression that they were a secure, confidential route of communication.

ReliaQuest claims that Black Basta associates included QR codes in these conversations as well. Although it’s unclear exactly how these codes are used, they link to websites like qr-s1[.]com, which could be another way to infect targeted devices with malicious software.

Tactics and Malware Deployed

Black Basta wants to remotely access the victim’s machine after gaining traction through Microsoft Teams. Often, they ask the worker to start Windows Quick Assist or install remote assistance software like AnyDesk. After connecting, they spread a variety of payloads with deceptive names like “AntispamAccount.exe,” “AntispamUpdate.exe,” and “AntispamConnectUS.exe.” Among these tools is SystemBC, a proxy malware that the gang has used in the past to conceal its actions and increase their persistence on hacked machines.

In order to allow attackers to travel laterally throughout the network, Black Basta eventually downloads Cobalt Strike, a penetration-testing program that has been transformed into a hacking utility. They can deploy the ransomware encryptor, increase rights, and harvest valuable data if they have complete access, which might have a significant negative operational and financial impact on the targeted firm.

Prevention and Mitigation Measures

Cybersecurity professionals recommend the following defensive tactics to thwart these kinds of social engineering attacks:

  • Restrict External Communication on Microsoft Teams: Restrict the number of messages that external users can send. Only permit communication from trustworthy domains when it is required to communicate with external contacts.
  • Implement Robust Logging: It is easier to spot any questionable chats started by outside users when logging for particular events, such as ChatCreated on Microsoft Teams, is enabled.
  • Employee Training and Awareness: Early detection and prevention require ongoing training on spotting phishing efforts, especially in well-known communication platforms like Microsoft Teams.
  • Enhanced Network Monitoring: Unusual activity, such the installation of malicious payloads or unapproved remote tools, can be identified with the use of technologies like Network Detection and Response (NDR).

Black Basta emphasizes the significance of proactive and multi-layered cybersecurity measures for contemporary businesses by consistently modifying their strategies and utilizing reliable corporate communication tools. Reviewing and modifying security policies should be a top priority for cybersecurity teams in order to counteract changing technical and social engineering threats.

Read More:

 

Scroll to Top