The Black Basta group is a Ransomware-as-a-Service (RaaS) provider that has been in operation since at least April of 2022. The group is believed to be comprised of former members of the ransomware groups Conti and REvil. The reason for this belief is driven by several factors, such as the similarities in their tactics and their rapid integration into the cybercriminal ecosystem.
Black Basta is credited as having victimized over 500 organizations. In the first quarter of 2024, the group had carried out over 100 public attacks. The group will typically select targets more meticulously rather than at random or through scattershot tactics. Targets often include organizations involved with critical infrastructure like public health and energy.
They are known for using many different strategies in their campaigns. For example, to gain initial access to target networks, Black Basta has been observed utilizing spear phishing tactics, insider information, and attempting to buy network access using initial access brokers (IAB). What’s more, Black Basta attacks are generally noted as using a double extortion tactic, which is to say that they encrypt victim data in addition to threatening to release sensitive information publicly if demands are not met.
The use of Microsoft Teams by Black Basta in their recent ransomware efforts is actually an evolution on an existing campaign that was mentioned in a ReliaQuest advisory in May. This campaign had been in progress since at least April of 2024.
The basic attack chain for this existing campaign begins by subscribing the target users’ emails to a number of newsletters and mailing lists, which causes a severe influx of unwanted emails. Next, threat actors would impersonate IT staff and call the targets to have them install remote access software to their machines under the pretext of resolving the spam email issue. With this, remote access is gained to the machine and the threat actor can proceed with the connection to command-and-control servers and downloading payloads.
A change has been made very recently to this attack chain and targets are now being contacted through chats on Microsoft Teams rather than on a phone call. Threat actors will now contact targets with external accounts that are set to have a “display name” that seemed to often include the phrase “Help Desk” to ensure the target user believes they are dealing with legitimate support. In addition to the change from telephone to Microsoft Teams chats, threat actors have also been observed sending QR codes in chat, which lead to a variety of presumably malicious destinations.
Ultimately, the goal of the attack remains the same regardless of contact method, which is to install a malicious payload like Cobalt Strike onto the machine, which will allow for full access to the now compromised device and give threat actors an opportunity to move further into the network.
As we mentioned a moment ago, threat actors are contacting targets with external accounts on Microsoft Teams, and these accounts are being operated from Entra ID tenants seemingly designed to pose as help-desk staff. The naming convention so far seems to follow the format of having a help-desk related phrase followed by onmicrosoft. Some examples are as follows:
- securityadminhelper.onmicrosoft[.]com
- supportserviceadmin.onmicrosoft[.]com
- supportadministrator.onmicrosoft[.]com
- cybersecurityadmin.onmicrosoft[.]com
In addition to the fact that these accounts are generally given a display name to include the phrase “help desk,” it is also worth keeping in mind that target users seem to typically be added to a chat named “OneOnOne.” ReliaQuest notes further that the actions of these observed accounts appear to originate in Russia.
In recent events, it seems more likely for targets to be directed into using QuickAssist for the supposed “support” sessions, though AnyDesk is also a popular choice. The QR codes we mentioned a moment ago forward to domains that follow a convention like the ones we have listed here. What’s more, in each observed attack these domains have been prefixed with a subdomain that matches the target organization’s name.
- companyname.qr-s1[.]com
- companyname.qr-s2[.]com
In general, some recommendations for mitigating the Microsoft Teams tactic are to first disable communication from external users in order to prevent unwanted chats from reaching end users. If external communications are necessary, specific trusted domains can be whitelisted. It can also be prudent to ensure logging is enabled for Teams, especially the “ChatCreated” event, which can make detecting these kinds of activities easier.
In summary, Black Basta is a ransomware-as-a-service provider that has been in service since at least April of 2022. The group is believed to be made up of former members of Conti and REvil. They are responsible for attacks against over 500 organizations, some of which belong to key industries like healthcare and energy. 100 attacks have occurred in the first quarter of 2024 alone.
As an extension to an already existing campaign, Black Basta has been observed contacting potential victims through Microsoft Teams posing as IT help desk staff supposedly to help victims with spam email issues. Upon contact, victims are enticed into allowing the threat actors remote access to their machines through remote support software like AnyDesk or QuickAssist. At which time, the threat actor is now able to deploy malicious payloads to the target machine.
A priority step in avoiding this kind of attack is to disable external communications in applications like Microsoft Teams and whitelist appropriate individuals or domains when external communication is necessary. It is also important to explore and utilize logging options for these kinds of applications in order to make discovering suspicious activities easier.
[2]: https://flashpoint.io/blog/understanding-black-basta-ransomware/
[3]: https://www.reliaquest.com/blog/new-black-basta-social-engineering-scheme/
[4]: https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments