Russian cybercriminals have been found to be engaging in a new scam tactic by posing as tech support on Microsoft Teams in order to deceive victims into believing they have an IT issue. Once they gain the trust of their targets, these criminals then proceed to install ransomware on the victims’ computer networks. The British cybersecurity company Sophos recently reported on over 15 incidents where two separate groups utilized Microsoft Office 365’s default service settings to trick their way onto a victim’s system.
According to Sophos’ report, one of the attackers appears to have connections to a group previously identified by Microsoft as Storm-1811, known for conducting similar scams. The other group, believed to be mimicking the tactics of Storm-1811, is potentially linked to a cybercrime group known as FIN7. Sean Gallagher, principal threat researcher at Sophos X-Ops, explained that these new schemes came to light during an investigation into BeaverTail cases, which are associated with North Korean hackers conducting malicious activities.
The attackers operated their own Microsoft Office 365 service tenants to carry out their attacks and took advantage of a default Microsoft Teams configuration that allowed external users to initiate chats or meetings with internal users. In some instances, the communication was initiated through voice or video calls on Teams, with victims failing to pay close attention to the legitimacy of the calls, assuming they were from legitimate outsourced support providers.
The cybercriminals also utilized text messages within the Teams chat function, often containing links that would grant them remote control access to the victims’ devices. In one incident on U.S. Election Day, after the fake support staff gained remote screen control access, the attacker proceeded to execute malware, including a Java archive and Python code that mirrored tactics previously used by FIN7.
Sophos managed to protect the majority of the incidents, with one non-managed detection response customer experiencing data exfiltration but avoiding ransomware execution. The company advises organizations to restrict Teams calls from external sources and limit remote access applications to trusted partners to mitigate such threats. Additionally, they recommend implementing strict security measures to prevent unauthorized access to sensitive systems.
Overall, the rise of cybercriminals impersonating tech support on Microsoft Teams highlights the evolving tactics used by threat actors to exploit vulnerabilities and deceive unsuspecting victims. As organizations continue to adapt to remote work environments, it is imperative for them to remain vigilant and implement robust cybersecurity measures to safeguard against such sophisticated and malicious attacks.