The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
Black Basta is a ransomware operation
active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
After the Conti cybercrime syndicate shut down in June 2022 following a
series of
embarrassing data breaches, the operation
split into multiple groups, with one of these factions believed to be Black Basta.
Black Basta members breach networks through various methods, including
vulnerabilities,
partnering wish malware botnets, and social engineering.
In May,
Rapid7 and
ReliaQuest released advisories on a new Black Basta social engineering campaign that flooded targeted employees' inboxes with thousands of emails. These emails were not malicious in nature, mostly consisting of newsletters, sign-up confirmations, and email verifications, but they quickly overwhelmed a user's inbox.
The threat actors would then
call the overwhelmed employee, posing as their company's IT help desk to help them with their spam problems.
During this voice social engineering attack, the attackers trick the person into installing the AnyDesk remote support tool or providing remote access to their Windows devices by launching the Windows Quick Assist remote control and screen-sharing tool.
