Black Basta Ransomware Uses MS Teams Impersonation to Breach Networks
- SISA Weekly Threat Watch -
In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the BlackBasta ransomware group’s new phishing strategy on Microsoft Teams, the Akira and Fog ransomware groups have exploited a SonicWall VPN vulnerability (CVE-2024-40766), targeting networks lacking multi-factor authentication and rapidly encrypting critical files.
Additionally, a new attack bypasses Microsoft’s Driver Signature Enforcement, allowing unsigned kernel drivers on fully patched Windows systems, enabling persistent rootkit threats. The Evasive Panda group has targeted Taiwanese cloud accounts using CloudScout malware to hijack Google Drive, Gmail, and Outlook sessions. Finally, PSAUX ransomware exploited a CyberPanel vulnerability, compromising over 22,000 instances through command injection, leading to server lockouts. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Microsoft Teams Phishing: Ransomware Uses Impersonation to Breach Networks
The BlackBasta ransomware group has recently enhanced its social engineering tactics by utilizing Microsoft Teams for initial access, building on past approaches that relied heavily on email and phone impersonation. Previously known for flooding inboxes and posing as IT help desks, the group now contacts users on Teams, masquerading as corporate IT departments to prompt employees to install remote monitoring and management (RMM) tools like AnyDesk and NetSupport Manager, ultimately setting the stage for ransomware deployment. This new strategy includes crafting fake Entra ID tenants and incorporating QR codes that lead users to malicious sites, increasing the risk of unauthorized network access. Attack methods have evolved from overwhelming inboxes with spam to include voice and Teams-based impersonation, each designed to trick users into facilitating access. Once access is granted, executables like “AntispamAccount.exe” are deployed, enabling further exploitation with tools like Cobalt Strike or Impacket.
To mitigate these threats, cybersecurity researchers recommend restricting external communication on Teams, configuring strict anti-spam and phishing filters, and enabling logging for Teams activities. Employees should receive targeted training to recognize suspicious interactions, especially from accounts posing as IT support, and to avoid scanning unverified QR codes. Comprehensive endpoint monitoring is also essential to detect unauthorized RMM tool installations and prevent lateral movement by threat actors.
2. Akira and Fog Ransomware Exploit SonicWall VPN Vulnerability in Targeted Attacks
The Fog and Akira ransomware groups are actively exploiting a critical SonicWall VPN vulnerability (CVE-2024-40766) to breach corporate networks, often affecting systems that lack multi-factor authentication (MFA). This vulnerability, associated with SonicOS SSL VPN access control, was patched in August 2024, but remains a significant threat due to unpatched systems. Cybersecurity researchers report that these groups frequently collaborate, attacking at least 30 networks by exploiting default VPN port settings and unprotected endpoints. Once inside, attackers deploy rapid encryption tactics—often completing attacks within hours—targeting virtual machines, recent files, and backups. These ransomware operators strategically avoid files older than six or 30 months, suggesting calculated methods to optimize impact. Evidence of a partnership between Fog and Akira includes shared infrastructure, highlighting a coordinated approach.
To mitigate these risks, it is recommended to update SonicWall VPNs to the latest firmware, enforce MFA on all VPN accounts, and avoid default ports to reduce exposure. Additionally, organizations should monitor firewall logs for anomalies, restrict VPN access to essential personnel, and deploy endpoint detection tools to prevent ransomware activity, protect backups, and halt encryption processes where possible.
3. New Technique Enables Multiple Exploits Through Windows Downgrade Vulnerability.
A new attack method has emerged that bypasses Microsoft’s Driver Signature Enforcement (DSE) on fully patched Windows systems, allowing threat actors to load unsigned kernel drivers by downgrading key Windows components. This vulnerability enables attackers to deploy rootkits that evade security mechanisms, compromise system integrity, and maintain persistence on affected machines. Cybersecurity researchers identified that Windows Downdate can downgrade specific components like the ci.dll library, essential for DSE. This process, coupled with the ItsNotASecurityBoundary vulnerability, allows attackers to replace verified security catalog files with malicious versions, circumventing security checks and reintroducing previously patched vulnerabilities.
Critical to this attack is the manipulation of Virtualization-Based Security (VBS) settings, which, if not locked by UEFI, can be disabled through registry modifications. Even with UEFI restrictions, VBS tampering remains feasible, providing attackers with pathways to execute kernel-level code. This exploit method poses a significant threat to system integrity as it enables attackers to subvert DSE protections and execute rootkits.
To defend against this vulnerability, it is recommended to enable VBS with UEFI lock and set the Mandatory flag in the registry, apply regular OS and security updates, and restrict registry access on critical system files. Additionally, deploying advanced detection solutions like Endpoint Detection and Response (EDR) is advisable to monitor for unauthorized downgrades of OS components and detect suspicious registry and file modifications.
4. Cyber-Espionage Group Evasive Panda Uses CloudScout to Hijack Cloud Accounts
The Evasive Panda cyber-espionage group, associated with China, has launched targeted attacks on government and religious entities in Taiwan using a novel malware toolset named CloudScout. Integrated with Evasive Panda’s MgBot framework and developed in .NET, CloudScout enables session hijacking of cloud services, exploiting stolen cookies from authenticated web sessions. This malware consists of 10 modules, three of which specifically target Google Drive, Gmail, and Outlook for data theft. Other modules remain unexamined. The attackers gain initial access through various techniques, including DNS poisoning, supply chain compromises, and exploiting new vulnerabilities, allowing them to infiltrate networks and exfiltrate sensitive data.
The CloudScout malware achieves session hijacking by using a “pass-the-cookie” technique to impersonate users without requiring credentials, allowing unauthorized access to victim accounts. It employs specialized tools like ManagedCookie for hijacking sessions and compresses stolen data into ZIP files for exfiltration. The persistence and adaptability of this group indicate an ongoing threat in cyber-espionage efforts targeting Taiwanese political and governmental sectors.
To counteract these threats, cybersecurity researchers recommend enforcing multi-factor authentication (MFA), strengthening browser-level defenses, and implementing Device Bound Session Credentials (DBSC) to prevent cookie-based hijacking. Regularly monitoring DNS traffic, auditing supply chain security, and deploying advanced threat detection systems are also essential to detect and mitigate unauthorized access, session hijacking, and lateral movement in the network.
5. CyberPanel Vulnerability: Exploitation by Ransomware Targets Over 22,000 Instances
A critical Remote Code Execution (RCE) vulnerability in CyberPanel has exposed over 22,000 instances worldwide to a ransomware campaign deploying PSAUX ransomware. This flaw grants attackers root access, bypasses security filters, and permits unauthorized command injection, leading to widespread server compromise. Identified by cybersecurity researchers, the vulnerability includes three major security lapses: weak authentication checks allowing unauthorized access to specific endpoints, unfiltered command injection on certain pages, and security filters limited to POST requests, leaving other HTTP methods vulnerable. CyberPanel developers were informed on October 23, 2024, though an official patch is pending, with interim fixes available via GitHub.
Following the vulnerability’s disclosure, threat actors initiated a mass ransomware campaign targeting thousands of CyberPanel instances, rapidly reducing accessible instances from 21,761 to about 400. PSAUX ransomware encrypts files with AES keys, leaving ransom notes in each directory. It uses scripts like “ak47.py” for exploitation and “actually.sh” for encryption. A decryptor is available, but users are advised to backup data before attempting decryption due to possible key mismatches.
To mitigate risks, it is recommended to update CyberPanel via GitHub, disable OPTIONS and PUT HTTP methods if not required, and audit access logs for unusual activities. Additionally, restricting access to trusted IPs, enabling multi-factor authentication, segmenting networks, and regularly backing up data with tested restore capabilities are essential for ransomware resilience and ensuring recovery options.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.