Microsoft Teams Users Under Attack in 'FakeUpdates' Malware Campaign

2020-11-10T13:53:45
ID THREATPOST:090BB8078666F06CFF081E0E945AC9B9
Type threatpost
Reporter Elizabeth Montalbano
Modified 2020-11-10T13:53:45

Description

Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.

Microsoft is warning its customers about the so-called “FakeUpdates” campaigns in a non-public security advisory, according to a report in Bleeping Computer. The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organizations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.

Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.

In the advisory, Microsoft said it’s seen attackers in the latest FakeUpdates campaign using search-engine ads to push top results for Teams software to a domain that they control and use for nefarious activity, according to the report. If victims click on the link, it downloads a payload that executes a PowerShell script, which loads malicious content.

Cobalt Strike beacons are among the payloads also being distributed by the campaign, which give threat actors the capability to move laterally across a network beyond the initial system of infection, according to the report. The link also installs a valid copy of Microsoft Teams on the system to appear legitimate and avoid alerting victims to the attack.

Malware being distributed by the campaign include Predator the Thief infostealer, which pilfers sensitive data such as credentials, browser and payment data, according to the advisory. Microsoft also has seen Bladabindi (NJRat) backdoor and ZLoader stealer being distributed by the latest campaigns, according to the report.

In addition to the FakeUpdates campaigns that use Microsoft Teams lures, the tech giant also has seen similar attack patterns in at least six other campaigns with variations of the same theme, suggesting a broader attack by the same threat actors, according to the report. In another instance, for example, attackers used the IP Logger URL shortening service, Microsoft warned.

Microsoft offered a number of mitigation techniques for the latest wave of FakeUpdates attacks. The company is recommending that people use web browsers that can filter and block malicious websites, and ensure that local admin passwords are strong and can’t easily be guessed.

Admin privileges also should be limited to essential users and avoid domain-wide service accounts that have the same permissions as an administrator, according to the report.

Organizations also can limit their attack surface to keep attackers at bay by blocking executable files that do not meet specific criteria or blocking JavaScript and VBScript code from downloading executable content, Microsoft advised.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.