New Russian campaign abuses Microsoft Teams to exfil data


Threat researchers have uncovered two new active campaigns abusing the Microsoft Office 365 platform to steal companies’ data and deploy ransomware. The threat actors are connected to Russian cybercriminals.

According to Sophos X-Ops, the campaigns involve separate groups of threat actors abusing the Microsoft Office 365 platform and remote management tools like Quick Assist to infiltrate into companies’ IT networks – and then steal companies’ data and deploy ransomware.

Cybersecurity researchers from Sophos, a British cybersecurity company, say both campaigns are highly active. More than 15 incidents were found in the past three months, half of them in the past two weeks alone.

ADVERTISEMENT

The threat groups – tracked by Sophos as STAC5143 and STAC5777 – behave similarly. First, they find a small group of specific employees to target at a company that uses Microsoft Teams – in other words, most of them.

Then, they send the aforementioned employees thousands of spam emails in a very short period. Sophos x-Ops, the company’s advanced threat response joint task force, said the threat actors once sent over 3,000 emails in less than an hour.

Quite obviously, most workers would refrain from opening such emails or clicking on links in them – but, equally, most would definitely be annoyed.

That’s why the threat actors would then follow up via Microsoft Teams voice and video calls, offering to help resolve the spam issue.

Konstancija Gasaityte profile Marcus Walsh profile Paulina Okunyte justinasv
Get our latest stories today on Google News

They would instruct the employee to allow a remote screen control session through Teams, and finally, using Quick Assist or Teams screen sharing features, they would take control of the target computer and deploy ransomware.

Sean Gallagher, principal threat researcher at Sophos, said that more threat groups are exploiting and abusing remote management tools, and targeting companies of all sizes. Microsoft Teams is especially vulnerable.

“Teams’ default configuration allows individuals outside an organization to chat with or call internal staff at a company, and attackers are abusing this feature,” said Gallagher.

ADVERTISEMENT

“Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person that’s labeled as ‘Help Desk Manager’ may not ring alarm bells, especially if it’s combined with an overwhelming amount of spam email.”

Sophos X-Ops has uncovered links between one group of threat actors and the Russian cybercriminal threat group Fin7. The other group of threat actors overlaps with the Russian threat group Storm-1811.

“We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts,” Sophos x-Ops said.

The researchers are advising companies using Microsoft Office 365 to check firm-wide configurations, block outside account messages if possible, and block remote access tools and remote machine management tools not regularly used by their organizations.

“Organizations should also raise employee awareness of these types of tactics – these aren’t the types of things that are usually covered in anti-phishing training. Employees should be aware of who their actual technical support team is and be mindful of tactics,” says the report.