Listen to this Post
2025-01-22
In a concerning development, cybersecurity firm Sophos has uncovered two distinct threat actors exploiting Microsoft 365 services, particularly Microsoft Teams, to infiltrate organizations. These attackers have been leveraging default configurations in Microsoft Teams to initiate conversations with internal users, posing as tech support to gain control of systems and deploy malicious payloads. Over the past three months, these groups have launched at least 15 attacks, targeting organizations with the likely intent of deploying ransomware and stealing sensitive data.
The Attackers and Their Tactics
The two hacking groups, tracked as STAC5143 and STAC5777, have been observed using similar yet distinct methods to compromise their targets. Both groups initiated their attacks by flooding employees with spam messages, followed by unsolicited Microsoft Teams calls. These calls were designed to deceive employees into believing they were interacting with legitimate tech support personnel.
STAC5143: A Blend of Familiar and Novel Techniques
The first group, STAC5143, began its campaign in November 2024. The attackers posed as a “Help Desk Manager” and used Microsoft Teams to request remote screen control. Once granted access, they executed PowerShell commands to download a ProtonVPN executable and a malicious DLL for sideloading. This led to the deployment of a Python payload, which installed backdoors and executed commands for user and network discovery.
Sophos noted that while the tools and techniques used by STAC5143 resemble those of the notorious FIN7/Sangria Tempest group, the attack chain and targeted organizations differ. Additionally, STAC5143 appears to be mimicking the tactics of Storm-1811 (aka Black Basta), a group known for its ransomware campaigns.
STAC5777: Hands-On-Keyboard Approach
The second group, STAC5777, employed a more hands-on approach. After bombarding employees with spam messages, they contacted them via Teams, pretending to be part of the internal IT team. During the Teams call, the attackers instructed the employee to install Microsoft Quick Assist, a legitimate remote access tool. This allowed the attackers to take control of the victim’s machine and download malicious payloads using a web browser.
STAC5777 dropped a mix of legitimate and malicious files, including a legitimate Microsoft executable, unsigned DLLs from the OpenSSL Toolkit, and a malicious DLL designed to collect system information and user credentials. The group then used these credentials to move laterally across the network, accessing files, extracting credentials, and even attempting to execute the Black Basta ransomware in one instance.
Sophos’ Recommendations
Sophos emphasizes the importance of raising employee awareness about these sophisticated tactics. Traditional anti-phishing training may not cover these types of attacks, which rely heavily on social engineering and creating a sense of urgency. Employees should be educated on how to identify legitimate tech support and be cautious of unsolicited requests for remote access.
What Undercode Says:
The recent wave of attacks exploiting Microsoft Teams highlights a growing trend in cybercriminals leveraging legitimate tools and services to bypass traditional security measures. These incidents underscore the need for organizations to adopt a multi-layered security approach that goes beyond conventional phishing training.
The Exploitation of Trust
One of the most striking aspects of these attacks is the exploitation of trust. Microsoft Teams is a widely used collaboration tool, and employees are accustomed to receiving legitimate communications through it. By posing as tech support, the attackers exploit this trust, making it easier to deceive employees into granting access to their systems.
The Role of Default Configurations
The attacks also highlight the risks associated with default configurations in widely used software. Microsoft Teams’ default settings allow external users to initiate chats and meetings, which the attackers exploited to their advantage. Organizations should consider revising these settings to limit external communications and reduce the attack surface.
The Blurred Line Between Legitimate and Malicious Tools
Both STAC5143 and STAC5777 relied heavily on legitimate tools like Microsoft Quick Assist and PowerShell to carry out their attacks. This blurring of lines between legitimate and malicious tools makes it increasingly difficult for traditional security solutions to detect and prevent such attacks. Organizations must implement advanced threat detection mechanisms that can identify anomalous behavior, even when legitimate tools are being used.
The Importance of Employee Training
While technical safeguards are crucial, employee training remains a critical line of defense. Employees should be trained to recognize social engineering tactics and understand the importance of verifying the identity of anyone requesting remote access or sensitive information. Regular drills and simulations can help reinforce this training and ensure employees remain vigilant.
The Growing Threat of Ransomware
The attempted execution of Black Basta ransomware by STAC5777 is a stark reminder of the growing threat posed by ransomware groups. These attacks are not just about data theft; they are designed to disrupt operations and extort organizations for financial gain. Organizations must prioritize ransomware prevention, including regular backups, endpoint protection, and incident response planning.
The Need for Proactive Defense
In an era where cyber threats are becoming increasingly sophisticated, organizations cannot afford to be reactive. Proactive defense measures, such as threat hunting, penetration testing, and continuous monitoring, are essential to staying ahead of attackers. By identifying and addressing vulnerabilities before they can be exploited, organizations can significantly reduce their risk of falling victim to such attacks.
Conclusion
The exploitation of Microsoft Teams by STAC5143 and STAC5777 serves as a wake-up call for organizations to reassess their security posture. By combining technical safeguards with employee training and proactive defense measures, organizations can better protect themselves against these evolving threats. As cybercriminals continue to innovate, so too must the strategies and tools used to defend against them.
References:
Reported By: Securityweek.com
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
