Microsoft Teams: A New Vector for Ransomware Attacks
Sophisticated ransomware attacks are leveraging Microsoft Teams, a popular collaboration platform, to target employees and compromise corporate networks. Cybersecurity firm Sophos recently uncovered two distinct groups, dubbed STAC5143 and STAC5777, employing this tactic.
These ransomware attacks utilize a multi-stage approach combining phishing attacks and the abuse of Microsoft Teams features.
The attackers initiate their campaigns with email-bombing—sending thousands of spam emails in a short period to overwhelm recipients’ inboxes and create a sense of urgency.
Exploiting Teams Features for Malicious Gain
Following this, they employ Microsoft Teams, sending messages and making calls, often posing as legitimate tech support.
“Threat actors are using spam emails, sending Microsoft Teams messages and even making Teams calls to employees with the intention of taking over their devices for data theft and to make ransomware demands,” reports Sophos.
A key element of these ransomware attacks is the exploitation of Microsoft Teams’ ability to allow external users to initiate conversations with internal users.
The attackers use their own Office 365 tenants to bypass security measures. Once contact is established, they use social engineering tactics to convince victims to grant remote access to their computers.
Python Malware Deployed Through Microsoft’s Quick Assist or Teams screen sharing
This access is often gained through Microsoft’s Quick Assist or Teams screen sharing. Once inside, the attackers deploy malware, often via a SharePoint file store.
In one instance, a Python malware payload was used to steal network domain server information, system details, configuration data, and user credentials.
The attackers further expand their access by using stolen credentials to gain VPN access and conduct lateral movement within the network. In one case, they attempted to deploy Black Basta ransomware, though this was prevented by endpoint protection software.
These recent ransomware attacks highlight the evolving nature of cybersecurity threats and the importance of robust security measures.
The attackers’ ability to blend legitimate tools like Microsoft Teams with malicious intent underscores the need for employee awareness training and strong security protocols.
The use of Microsoft Teams in these phishing attacks demonstrates the need for vigilance and proactive security measures against sophisticated ransomware attacks.
