Black Basta group uses Microsoft Teams chat function
The ransomware group known as "Black Basta" has developed a new mechanism that exploits the chat function of Microsoft Teams to establish contact.
(Image: solarseven/Shutterstock.com)
The Black Basta ransomware group operates worldwide and is known to spam users with emails, posing as helpdesk staff in order to steal data and gain access. This method has now apparently been modified so that Microsoft Teams chat messages are used to contact employees in companies.
As the cyber security company ReliaQuest reported, Black Basta's new method uses Microsoft Teams chat messages to engage company employees in conversations. The criminals pretend to be support, administrator or helpdesk staff in order to gain the trust of the victims.
Group invitations as a confidence-building measure
In some cases, company employees are said to have been invited to MS Teams chat groups by the Black Basta group. Once in the group, it was apparently easy to make contacts. QR codes are then used to lure employees to external sites. These are tailored to the target organization in question and can often only be distinguished from genuine company websites by carefully checking the subdomain.
ReliaQuest recommends several measures to protect against this new phishing method. These include blocking suspicious domains and subdomains, blocking communication from external users within Microsoft Teams and cleanly defining trusted domains. ReliaQuest also recommends activating the logging function in MS Teams to facilitate the early detection and investigation of incidents.
Videos by heise
As reported by heise online, previous methods have already damaged over 500 organizations internationally, including several hospitals. In Germany, for example, the arms manufacturer Rheinmetall was one of the victims. According to the FBI, the victims paid a total of over 100 million US dollars to the criminal group to unlock encrypted data.
(nen)
