Who:
Threat actors linked to Black Basta ransomware and potentially FIN7/Sangria Tempest.
Groups tracked as STAC5143 and STAC5777 identified by Sophos.
What:
Attackers use email bombing followed by posing as IT support in Microsoft Teams calls.
Victims are tricked into granting remote access via Microsoft Teams or installing malware.
Malware used includes:
Java archive (JAR) files and Python scripts (RPivot backdoor).
Malicious DLLs (e.g., nethost.dll, winhttp.dll) sideloaded through legitimate software.
Techniques include keylogging, credential harvesting, and network reconnaissance.
Final stage likely involves data theft and ransomware deployment.
Impact:
Compromises systems via remote control, enabling data theft and lateral network movement.
Black Basta ransomware deployment observed, signaling potential for severe organizational disruptions.
Uses default Microsoft Teams settings and Quick Assist for hands-on control.
Victims' sensitive documents and credentials targeted for exploitation.
Mitigation:
Block external domains from initiating messages and calls in Microsoft Teams.
Disable Microsoft Quick Assist on critical systems.
Monitor and restrict access to external file-sharing services like SharePoint and Azure Blob Storage.
Read the full article HERE