Cyber999 Advisories

1.0 Introduction
Recently, it has been revealed that the Black Basta ransomware group uses sophisticated social engineering techniques, moving from traditional email spam to Microsoft Teams chats. Hence, improving their technique to infiltrate and compromise organisations. In this recent technique, the group poses as IT help desk personnel in Microsoft Teams using external user accounts with deceptive names such as a “Help Desk”. By adding users to chats with external accounts from fraudulent Entra ID tenants, attackers have posed as support, admin, or help-desk staff, using misleading display names to trick users into believing they are interacting with legitimate help-desk representatives.

2.0 Impact
A successful attack can disrupt operations, including potential ransomware installation, data breaches, and extortion -- forcing victims to pay ransoms to avoid data leaks or restore encrypted systems.

3.0 Indicators of Compromise (IOCs)
Accounts

• securityadminhelper.onmicrosoft[.]com
• supportserviceadmin.onmicrosoft[.]com
• supportadminstrator.onmicrosoft[.]com
• cybersecurityadmin.onmicrosoft[.]com

Domain

• qr-s1[.]com
• qr-s2[.]com
• qr-s3[.]com
• qr-s4[.]com

4.0 Tactics, Techniques, and Procedures (TTPs)
4.1 Use of Microsoft Teams Chats
Black Basta sends massive emails to targets and then adds the targets to Microsoft Teams chats, posing as legitimate helpdesk support staff, purportedly to help targets resolve the massive spam emails. The group adds targets to chats with external accounts from fraudulent Entra ID tenants. These external accounts, operating from Entra ID tenants with misleading names like "Help Desk," used display names designed to deceive users (targets) into thinking they were communicating with real IT support staff. 

By impersonating Helpdesk IT Support, the attackers gain remote access to targets’ Windows devices and run scripts to install payloads on the devices to maintain remote access. The group then make lateral movements to other devices within the targets’ infrastructure, gaining privileges, stealing data, and even installing ransomware encryptors to take complete control of files in the targets’ systems.

The goal is to get the targeted employees to install remote monitoring and management tools such as QuickAssist or AnyDesk to facilitate support and remediation. However, the goal is to gain initial access to the targeted environment and install tools for malicious purposes.

The following tenants were observed using the following naming convention: “*.onmicrosoft.com”. Examples we have seen so far include:

• securityadminhelper.onmicrosoft[.]com
• supportserviceadmin.onmicrosoft[.]com
• supportadministrator.onmicrosoft[.]com
• cybersecurityadmin.onmicrosoft[.]com

These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account. In almost all instances, researchers observed that the display name included the string “Help Desk,” often surrounded by whitespace characters, likely to centre the name within the chat. Researchers also observed that, typically, targeted users were added to a “OneOnOne” chat.

4.2 QR Codes
Additionally, targeted users were sent QR codes via the Microsoft Teams chats, masquerading as legitimate ones.

Threat actors are using domains like the following for this QR-code phishing activity:

• qr-s1[.]com
• qr-s2[.]com
• qr-s3[.]com
• qr-s4[.]com

In each attack, the subdomains of these domains are tailored to match the targeted organisation. For example: companyname.qr-s1[.]com.

The exact start date of the threat actor’s use of QR codes is unclear. However, researchers tracked the domain details to find older domains created in early October that follow the same naming convention. This suggests the same threat actor almost certainly created them to use QR codes. This indicates that the threat actor likely started using or planned to use this approach in early October. Nevertheless, it is still unclear what the QR codes are specifically used for. It could be that the codes direct users to further malicious infrastructure.

5.0 Recommendation
CyberSecurity recommends users apply the following mitigations:

• Monitor external communication on platforms like Microsoft Teams and block malicious domains.
• To mitigate against tactics involving Microsoft Teams and QR code phishing, organisations should disable communication from external users within Teams to prevent unwanted chat messages from reaching end users. Specific trusted domains can be allowed when communication with external users is necessary. 
• Establishing aggressive anti-spam policies within email security tools can prevent spam from flooding end users’ inboxes.
• Implementing multi-factor authentication to prevent unauthorised initial access to systems. 
• Ensuring that logging is enabled for Teams, particularly the ChatCreated event, will facilitate detecting and investigating such activities.
• Microsoft Teams accounts impersonating IT help desks typically have their names set to “Help Desk.” Whitespace characters often surround this string, likely to centre the name within chats. Organisations should search for “contains,” rather than a direct match when searching for these accounts.
• The post-exploitation activities linked to these tactics, such as Impacket abuse and the deployment of Cobalt Strike beacons, are neither new nor unexpected. Existing detection rules and security tools are well-prepared to address these threats, enabling organisations to respond effectively to these tactics.
• Regularly train and educate employees on identifying phishing attempts. 

Generally, CyberSecurity Malaysia advises users to be updated with the latest security announcements and follow best security practices to protect against cyber attacks.

For further enquiries or to report an incident, please contact us through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web:  https://www.mycert.org.my

6.0 References

• https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/
• https://www.uctoday.com/unified-communications/black-basta-ransomware-impersonates-teams-it-support-attacks-100s-of-businesses/
• https://www.skyhighsecurity.com/industry-perspectives/black-basta-ransomware-attack-on-microsoft-teams.html
• https://www.enterprisesecuritytech.com/post/black-basta-ransomware-group-evolves-tactics-with-microsoft-teams-and-qr-code-phishing