Security researchers warn that some attackers are compromising Microsoft Teams accounts to slip into chats and spread malicious executables to participants in the conversation.
More than 270 million users are relying on Microsoft Teams every month, many of them trusting the platform implicitly, despite the absence of protections against malicious files.
Simple but efficient method
Researchers at Avanan, a Check Point company that secures cloud email and collaboration platforms, found that hackers started to drop malicious executable files in conversations on Microsoft Teams communication platform.
The attacks started in January and the company detected thousands of them, Avanan threat researcher Carl Rogers told BleepingComputer. From the data available, most attacks were recorded at organizations in the Great Lakes region in the U.S., local media outlets in particular.
In a report today, Avanan says that the threat actor inserts in a chat an executable file called “User Centric” to trick the user into running it.
Once executed, the malware writes data into the system registry installs DLLs and establishes persistence on the Windows machine.
“In this Teams attack, hackers have attached a malicious Trojan document to a chat thread. When clicked on, the file will eventually take over the user’s computer” - Avanan
The method used to gain access to Teams accounts remains unclear but some possibilities include stealing credentials for email or Microsoft 365 via phishing or compromising a partner organization.
Automatic analysis of the malware distributed this way shows that the trojan can establish persistence through Windows Registry Run keys or by creating an entry in the startup folder.
It also collects detailed information about the operating system and the hardware it runs on, along with the security state of the machine based on the OS version and the patches installed.
Excessive trust
Although the attack is quite simple, it may also be very efficient because many users trust files received over Teams, Avanan researchers say.
The company analyzed data from hospitals that use Teams and found that doctors use the platform to share medical information unrestricted.
While individuals are typically suspicious of information received over email, due to email phishing awareness training, they exhibit no caution with files received over Teams.
Moreover, Teams provides guest and external access capabilities that allow collaboration with people outside the company. Avanan says that these invitations are usually met by minimal oversight.
“Because of the unfamiliarity with the Teams platform, many will just trust and approve the requests. Within an organization, a user can very easily pretend to be someone else, whether it's the CEO, CFO or IT help desk” - Avanan
The researchers say that the issue is aggravated by “the fact that default Teams protections are lacking, as scanning for malicious links and files is limited” and “many email security solutions do not offer robust protection for Teams.”
To defend against such attacks, Avanan recommends the following:
• Implement protection that downloads all files in a sandbox and inspects them for malicious content
• Deploy robust, full-suite security that secures all lines of business communication, including Teams
• Encourage end-users to reach out to IT when seeing an unfamiliar file
Update [February 18th, 2022]: Article updated with information from Avanan threat researcher Carl Rogers on the number of attacks detected and the targets.
Comments
whstraining - 2 years ago
What is Malware ?
IT is instrusive software that is designed to destroy computer systems. Example are viruses,adware and ransomware.
alexilumau - 2 years ago
Malware is instrusive software that is designed to destroy computers and computer systems such as worms, spyware, viruses,adware and ransomware.etc
Drags - 2 years ago
So the news you're trying to bring across is that 3rd party attackers are using their stolen credentials to get further access via all possible methods?