Source URL: https://www.theregister.com/2025/01/22/ransomware_crews_abuse_microsoft_teams/
Source: The Register
Title: Ransomware scum make it personal for <i>Reg</i> readers by impersonating tech support
Feedly Summary: That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems
Two ransomware campaigns are abusing Microsoft Teams to infect organizations and steal data, and the crooks may have ties to Black Basta and FIN7, according to Sophos.…
AI Summary and Description: Yes
Summary: The text details two separate ransomware campaigns using Microsoft Teams to compromise organizations, with indications of ties to known threat groups Black Basta and FIN7. It emphasizes the evolving tactics employed by these groups, particularly how they exploit Microsoft services and rely on socially engineered attacks to gain access to targets.
Detailed Description:
The analysis provided by Sophos identifies two ransomware groups, STAC5143 and STAC5777, and outlines their methods for infiltrating organizations via Microsoft Teams—highlighting significant trends in ransomware deployment and targeted attacks.
– **Campaigns Overview**:
– **STAC5143**: Linked to FIN7, this group’s initial detection involved extensive email spam leading to malicious Teams interactions, where attackers posed as IT personnel.
– **STAC5777**: Associated with Black Basta, this group mimicked internal IT communications to initiate control over victim devices.
– **Attack Mechanism**:
– **Initial Access**:
– Email spam campaigns were the first step in both campaigns, which led to Microsoft Teams calls from fake help desk accounts.
– **Installation of Malware**:
– Attackers guided users to install remote access tools (like Microsoft’s Quick Assist), allowing for direct device control.
– Malware dropped included Java archives and Python-based backdoors for reconnaissance and exploitation.
– **Complex Tactics**:
– Utilized operational security practices (like using Virtual Private Servers across different countries) to obscure their tracks.
– Employed strategies to bypass security measures, such as side-loading malicious DLLs through legitimate processes (e.g., OneDrive).
– **Targets and Methods**:
– Focused on smaller organizations in diverse sectors, differing from traditional targets of larger threat groups.
– Included attempts to uninstall security measures like multi-factor authentication during lateral movement within networks.
– **Key Insights for Security Professionals**:
– The report underscores the importance of vigilance regarding communication through collaboration tools like Microsoft Teams, which are increasingly being targeted.
– Emphasizes the necessity of training employees to recognize phishing attempts and socially engineered tactics.
– Stresses the adoption of advanced endpoint protection and monitoring tools to detect and respond to such sophisticated attacks early.
– Highlights the relevance of threat intelligence sharing to understand evolving tactics by criminal organizations.
The information encapsulated in the report is crucial for cybersecurity professionals tasked with safeguarding organizational assets and protecting against the rising threat of ransomware utilizing legitimate platforms for exploitation.