Ransomware groups pose as fake tech support over Teams – CyberScoop
Researchers at cybersecurity firm Sophos are tracking multiple clusters of hacking activity leveraging Microsoft 365 instances, Microsoft Teams and email bombing tactics to deliver ransomware.
In new research released Tuesday, the company said it had identified at least two distinct clusters of hacking activity using the tactics to infect targets between November and December 2024.
First, several individuals at an organization are inundated with emails — up to 3,000 in 45 minutes in some cases. The sheer volume of spam is designed to overwhelm the target’s inbox and “create a sense of urgency” that may push them to reach out to IT for assistance, the researchers said.
Then, using an external account, the hackers will message one of the targets over Microsoft Teams, posing as the organization’s IT support or a “Help Desk Manager.” Under the guise of assistance, the actors push the victim to permit a remote screen control session through Teams or Microsoft Quick Assist, which is then used to create command shells, access an external Sharepoint file and deploy malware on the victim’s device.
With a command and control channel established, the attackers then use the target’s credentials to disable multifactor authentication and antivirus protections, connect to other hosts on the network and move laterally to compromise other systems.
Sean Gallagher, principal threat researcher at Sophos and one of the authors of the research, told CyberScoop that his group has observed these tactics being used against multiple individuals and at least 15 organizations, most of which were blocked before they could compromise targeted devices.
Posing as tech support is a well-known social engineering scheme for malicious hackers, and has been used by cybercriminal groups like Lapsus$ to compromise large, multinational businesses. But the targeting of Office 365 and Teams has come mainly against smaller organizations and reflects how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to move to the cloud and digitize, particularly in the wake of the COVID-19 pandemic.
For many of these smaller organizations, using unfamiliar software like Microsoft Office 365, Teams, and Azure for the first time left them vulnerable to attackers.
“It’s a much more lucrative target now for cybercriminals to go after Office 365 infrastructure, especially when it’s tied so intimately to internal infrastructure and data systems,” Gallagher said.
The use of external Teams accounts to pose as tech support highlights the weaknesses that can be created when new technologies are integrated into an organization without custom configuration and employee awareness. Many organizations, Gallagher contends, are unaware that the default setting in their Microsoft Teams software allows for external actors to message employees through the app while posing as tech support, something that can make them more vulnerable to phishing and social engineering schemes.
Organizations frequently rely on legitimate external tech support through third-party managed security providers (MSPs), so such contact isn’t unusual. Further, standard anti-phishing training tends to focus on good password hygiene and identifying fake emails, rather than detecting fake tech support staff.
“Nobody is trained on the whole idea of: you have an inbound call from someone who’s your IT support, you just had an IT problem, and you may have already put in a trouble ticket for IT. How do you assure that the person who’s calling you on your internal communications system is in fact your IT person?” Gallagher said.
There are at least two groups that have been observed carrying out this infection chain, both with technical connections to bigger players in the cybercrime ecosystem. One, STAC5143, shares technical overlaps and code obfuscation tactics with the FIN7 cybercriminal gang. The other, STAC5777, uses tactics similar to Storm-1811, a threat actor that uses similar social engineering tactics to deliver Black Basta ransomware code.
Gallagher highlights that while Storm-1811 and FIN7 are both sophisticated groups that share significant tools and tactics, entities like FIN7 sell their software and phishing kits to other cybercriminal groups, complicating attribution to a specific actor.
Additionally, CISA warned about these tactics being used to deliver Black Basta in November.
Organizations should scrutinize their configurations and default settings to prevent these attack vectors, Sophos recommended. For employees, having some familiarity with how their employer’s IT help desk process works in advance, or simply knowing the name or email of your IT support staff, can help guard against this kind of exploitation.
For malware analysis, detection rules and indicators of compromise associated with these campaigns, see Sophos’ full research here.
The post Ransomware groups pose as fake tech support over Teams appeared first on CyberScoop.
–
Read More – CyberScoop
