With regards to the pandemic and the need to connect remotely while getting work done, the Microsoft Teams have continues to thrive globally. In July 2021, Teams recorded an increase that contributed to it whopping 270 million monthly active users. As this growth may feel remarkable and worthy, cybercriminals are also on the loose to target millions of users by setting Microsoft Teams as a launchpad for phishing and malware attacks.
According to a blog post by cloud security firm Avanan, it is now observed that starting since January 2022, hackers are exploiting Teams conversations by dropping malicious executable files. Avanan mentions that this file writes data to the Windows registry, installs DLL files and creates shortcut links that permit the program to self-administer. With thousands of these attacks identified and analyzed by Avanan, the company has come to a conclusion that these .exe files are being used by hackers in Microsoft Teams. The rapid rise in these team attacks has proven a source of concern to unsuspected users.
The practice of this attack have identified that hackers will attach .exe files through Teams chats, a Trojan is installed on the end-user’s computer. In the attack done via email, Avanan have identified that hackers are hacking into Teams. This hack is done with East-West attacks that start via email, or by simply spoofing a user. An .exe file called “User Centric” is then attached to a chat. This Trojan files when clicked, then install as DLL files and create shortcut links to self-administer and hackers can eventually take over the user’s computer. Using an executable file, or a file that contains instructions for the system to execute, hackers can install malicious file libraries (DLL files) that allow the program to self-administer and take control over the computer.
In other to attach malicious files to a Teams chat, the first step is accessing Teams. Hackers have a number of ways that is carried out. Hackers can gain entry by compromising a partner organization and listen in on inter-organizational chats. They can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials from a previous phishing campaign, giving them carte blanche access to Teams and the rest of the Office suite. Given that hackers are quite adept at compromising Microsoft 365 accounts using traditional email phishing methods, they’ve learned that the same credentials work for Teams.
According to Avanan, once entry into an organization is secured, an attacker is already informed what technology is being used to protect it. That means they can tell what malware will bypass existing protections. The fact that default Teams protections are lacking compounds this problem, as scanning for malicious links and files is limited. Further, many email security solutions do not provide robust protection for Teams. Hackers, who can access Teams accounts via East-West attacks, or by leveraging the credentials they harvest in other phishing attacks, have carte blanche to launch attacks against millions of unsuspecting users. This attack have shown that hackers have gained a deep understand of Teams as a potential attack vector as the usage continues to grow rapidly. Avanan stated that a significant increase in these sorts of attacks should be expected.
For Teams user it’s time to be aware and refuse the urge to download any files from unknown sources. Users are encourage to reach out to IT when an unfamiliar file is suspected. Organizations are also advised to deploy robust, full-suite security that secures all lines of business communication, including Teams. News of this Teams bug comes as Windows 10 users are being issued alerts on the resurgence of the nasty QBot bug, a malware that dates as far back as 2007, now with more terrifying outcomes. According to security experts at Digital Forensics and Incident Response (DFIR), this malware can give hackers full access to personal files such as emails, passwords and web browsing history within 30 minutes of getting into a victims system. The malware sharing thrives via fake phishing emails which try to trick users into downloading the bug with subject lines that include tax payment reminders, job offers, and even COVID-19 alerts.