These hackers are getting more clever by the minute. Now they’re tricking people into giving up their access credentials by pretending to be the fixers of their own attacks.
And it should come as no surprise that Microsoft Teams is the primary attack surface.
Here’s what’s happening as reported by CyberSecurity News:
An attack group that may be linked to the ransomware group Black Basta identifies a Microsoft Teams user via his or her email address, and sends a flurry of spam emails to the person’s email inbox.
These spam messages barely even pretend to be legitimate. They’re spam and they’re supposed to look and feel like spam. That’s their plan.
The user is sitting there thinking, “How do I stop all these spams from hitting my inbox?”
Then a message arrives via Microsoft Teams – or so it seems. The sender identifies itself as the IT department, explaining that it’s aware of the spam problem you’ve been having and assuring you that they’re there to help.
The exasperated user, who just wants the spams to stop, is asked to launch Quick Assist. This is a legitimate tool created by Microsoft, which enables remote support personnel to gain access to your computer and fix problems.
But in this case, it’s social engineering at its most notorious. That’s not a legitimate help desk asking for access to your computer. It’s a hacker group. And once you give it access, the hackers deploy digitally signed MSI installers disguised as Microsoft Teams-related components and CrossDeviceService packages.
It gets worse. Once it starts launching malicious code, it also deploys techniques to frustrate defenses – even mimicking the normal behavior of Windows and Microsoft software to avoid detection.
There are two lessons the business community needs to take from this – one specific and one more general.
The specific one is that Microsoft Teams is not just a collaboration app. It is very much an entry portal for attackers to connect to your team members and trick them into granting access to your system. You need to treat it as such and fully secure it. As Deep Throat told Fox Mulder: Trust no one.
The general one is that no platform is really secure, especially if your employees haven’t been trained on how to recognize tricks.
The hackers are like the guy who leads a game of Simon Says. On the surface it’s simple. You don’t do anything unless he first says Simon Says. But these guys are very tricky, and they use misdirection to make you lose your focus on that.
That’s what the hackers do. Flood your email with spams and then offer a solution. Reach out with what appears to be an urgent situation. Use deep fakes to impersonate your CEO and ask you to do things you would normally not do.
If you bring in UBX Cloud, we can deploy our experienced team and our first-rate tech bundle to fend off these creeps – or at the very least make sure you’ve got a good copy of your data so you don’t have to pay the ransom.
We have saved clients from paying $27 million in ransoms. UBX Cloud does not negotiate with terrorists!
But you’ve got to teach your people – nothing and no one should simply be trusted on its face, no matter how urgent or important it may seem, and no matter how frustrated they may be in the moment.
We hate to say it, but this is not a time in the world when trust should be offered lightly.