Security Intelligence
Loading table of contents...
Cybersecurity researchers have observed two separate threat actors, tracked as STAC5143 and STAC5777, abusing Microsoft 365 services and exploiting default Microsoft Teams configurations to initiate chats and meetings with internal users to deploy malware.
The attacks begin with a large volume of spam messages immediately followed by a Teams call from the threat actor pretending to be from the internal IT team or helpdesk who is attempting to resolve the spam issue.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
During this call, the user is tricked into providing remote screen control through Teams, or by installing Microsoft Quick Assist, which allows the threat actor to open a command shell, drop files on the system, and execute malware. In one instance, the threat actor attempted to execute Black Basta ransomware on the compromised host.
According to the researchers, STAC5143 and STAC5777 have launched at least 15 of these attacks since November 2024, however, the researchers did not indicate how many were successful.
Source: SecurityWeek
Analysis
Given the similar tactics, techniques, and procedures (TTPs) observed during these campaigns and previous campaigns associated with Black Basta ransomware affiliates, and the attempt to deploy Black Basta ransomware itself, it’s likely that both STAC5143 and STAC5777 are affiliates of the Black Basta Ransomware-as-a-Service (RaaS).
As a RaaS, Black Basta provides its ransomware tools and infrastructure to affiliates who conduct the attacks. In exchange, the affiliates share a portion of the ransom payments with the Black Basta operators.
In 2024, Black Basta affiliates continued to evolve their tactics, notably incorporating social engineering techniques such as email bombing, QR codes, and impersonation via platforms like Microsoft Teams. These methods have been employed to distribute payloads like Zbot and DarkGate, facilitating unauthorized access to target networks. By exfiltrating files before they are encrypted, Black Basta can threaten to publish stolen data on its leak site if the ransom is not paid to decrypt the files locked by Black Basta’s ransomware.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from RaaS groups like Black Basta. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
While defending against ransomware attacks may seem intimidating at first, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
