Microsoft Teams has become an integral part of business life, but it also represents a sure-fire malware opportunity for threat actors.
Teams can be used for videoconferencing, voice calls, file sharing, and numerous collaborative processes, so it’s no surprise that it’s become extremely popular. This growth has accelerated significantly since the pandemic, and with over 320 million daily active users of Teams, it’s clear to see why threat actors view it as such an attractive target. The latest attack of note to strike Teams has been carried out by the Black Basta malware, last seen on these pages targeting US businesses in 2022.
As many of our readers are regular users of Teams, we decided it would be beneficial to shed light on this attack to help you reinforce your defenses.
Black Basta Strikes Again
The attack starts when a threat actor launches an onslaught of junk emails into a victim’s inbox. Naturally, this is an irritating situation, so when an offer of help is received via a Microsoft Teams message, it sounds like a lifesaver. This ‘help’ involves downloading a remote management tool – such as TeamViewer or Quick Assist – in order for the mysterious helper to connect to the PC in question and investigate the problem.
However, granting access is a huge mistake as it gives them full control over the PC in question. Therefore, the threat actor is able to begin downloading malware onto the target PC which harvests data. Of particular interest to the malware are login credentials, VPN configuration files, and multi-factor authentication tokens. These powerful slices of data then allow remote access to the PC without a single security question being raised.
Researchers have found that malware such as DarkGate and Zbot is being utilized by the threat actors during the attack, and that they’re posing as members of the targeted organization’s IT team. It’s also been reported that the threat actors have, at least once, attempted to use a QR code to trick a user into giving up their login credentials.
Shield Yourself from Black Basta Attacks
Handing over even a single set of login credentials can have catastrophic consequences for your IT infrastructure. With a foothold in your defenses, a threat actor can quickly establish themselves within your system, stealing data, encrypting files, and damaging hardware. Therefore, you should be mindful of attacks such as Black Basta.
The best safety essentials to employ are:
- Standardize Your Remote Management Tools: make sure that you take a consistent approach with remote management tools. For example, stick to using one particular tool – such as TeamViewer – and ensure this is the only one installed on your PCs. Additionally, make sure that staff are aware that your chosen tool is the only one to be trusted, but even this should be scrutinized.
- Restrict External Communication in Teams: It’s possible to block external Teams users from interacting with your employees, so it may be beneficial to put this in place. This ensures that all communication taking place within your Teams system involves only authorized employees, minimizing the risk of rogue communications being spread.
- Educate Your Employees: human error remains the leading cause of cyber attacks, so this is an area you need to pay close attention to. Training your employees to identify a social engineering campaign is crucial, and could help prevent your IT infrastructure being taken over by threat actors. Make this part of your onboarding processes and conduct regular refreshers with existing staff.
For more ways to secure and optimize your business technology, contact your local IT professionals.
