Attackers Leverage Microsoft Teams and Quick Assist for Access
Summary:
Trend Micro researchers have uncovered a sophisticated cyber-attack leveraging social engineering and widely used remote access tools to deploy a stealthy infostealer malware. This campaign grants attackers persistent access to compromised machines, enabling them to steal sensitive data. Since October 2024, 21 breaches have been recorded, with the majority occurring in North America. The United States was the most affected, with 17 incidents, followed by Canada and the United Kingdom with five each. Europe also recorded a total of 18 incidents.
The attack begins with social engineering techniques to gain initial access, often through Microsoft Teams, where attackers impersonate trusted entities to steal credentials. Once access is obtained, tools like Quick Assist and other remote access software are used to escalate privileges. Attackers then exploit a legitimate OneDrive update tool, OneDriveStandaloneUpdater.exe, to sideload malicious DLLs, granting them network access. To maintain persistence, they deploy BackConnect malware, which has been linked to QakBot, a loader malware previously used by Black Basta ransomware operators before law enforcement disrupted it in Operation Duckhunt. The attackers leverage commercial cloud storage providers to host and distribute malicious files, often taking advantage of misconfigured or publicly accessible storage buckets.
Security Officer Comments:
Further analysis has revealed a connection between Black Basta and Cactus ransomware operators, both of whom have been observed deploying the same BackConnect malware. This malware enables attackers to execute commands remotely, steal credentials, and exfiltrate financial data. In 2023, Black Basta alone extorted $107 million from victims, with manufacturing, financial services, and real estate being the hardest-hit sectors. Additionally, attackers have been using the open-source file transfer client WinSCP to move stolen data within compromised environments. Malicious files were initially downloaded from cloud storage providers before being repackaged and deployed via system vulnerabilities. Leaked internal communications suggest that Black Basta members are now transitioning to Cactus ransomware, signaling that Cactus will remain a significant cyber threat in 2025.
Suggested Corrections:
To counter these evolving threats, organizations should:
https://www.infosecurity-magazine.com/news/attackers-exploit-microsoft-teams/
Trend Micro researchers have uncovered a sophisticated cyber-attack leveraging social engineering and widely used remote access tools to deploy a stealthy infostealer malware. This campaign grants attackers persistent access to compromised machines, enabling them to steal sensitive data. Since October 2024, 21 breaches have been recorded, with the majority occurring in North America. The United States was the most affected, with 17 incidents, followed by Canada and the United Kingdom with five each. Europe also recorded a total of 18 incidents.
The attack begins with social engineering techniques to gain initial access, often through Microsoft Teams, where attackers impersonate trusted entities to steal credentials. Once access is obtained, tools like Quick Assist and other remote access software are used to escalate privileges. Attackers then exploit a legitimate OneDrive update tool, OneDriveStandaloneUpdater.exe, to sideload malicious DLLs, granting them network access. To maintain persistence, they deploy BackConnect malware, which has been linked to QakBot, a loader malware previously used by Black Basta ransomware operators before law enforcement disrupted it in Operation Duckhunt. The attackers leverage commercial cloud storage providers to host and distribute malicious files, often taking advantage of misconfigured or publicly accessible storage buckets.
Security Officer Comments:
Further analysis has revealed a connection between Black Basta and Cactus ransomware operators, both of whom have been observed deploying the same BackConnect malware. This malware enables attackers to execute commands remotely, steal credentials, and exfiltrate financial data. In 2023, Black Basta alone extorted $107 million from victims, with manufacturing, financial services, and real estate being the hardest-hit sectors. Additionally, attackers have been using the open-source file transfer client WinSCP to move stolen data within compromised environments. Malicious files were initially downloaded from cloud storage providers before being repackaged and deployed via system vulnerabilities. Leaked internal communications suggest that Black Basta members are now transitioning to Cactus ransomware, signaling that Cactus will remain a significant cyber threat in 2025.
Suggested Corrections:
To counter these evolving threats, organizations should:
- Strengthen authentication measures, including multi-factor authentication (MFA) and user verification procedures
- Restrict the use of remote access tools like Quick Assist unless explicitly required
- Regularly audit cloud storage configurations to prevent unauthorized access
- Monitor network traffic for suspicious outbound connections to known command-and-control servers
- Educate employees on social engineering tactics to reduce susceptibility to phishing and impersonation attempts
https://www.infosecurity-magazine.com/news/attackers-exploit-microsoft-teams/