[German]In early March 2022, news went around that hackers were using Microsoft Teams to spread malware. The attacks are carried out by attaching .exe files to Teams chats. These .exe files contain a Trojan that is installed on the end user's computer. This Trojan is then used to install malware. How critical is this story though?
Advertising
Notice of attacks via Microsoft Teams
The website Thread Post pointed out this danger back in mid-February in the article Microsoft Teams Targeted With Takeover Trojans. The following tweet links to this article.
In January 2022, researchers from Avanan, a Check Point company, noticed a campaign that dropped malicious executables into Teams conversations. If these attachments were clicked by the user, this installed a Trojan, which could then install further malware and subsequently take over the user's computer. That's according to a published report. Hank Schless, senior manager of security solutions at security vendor Lookout, lists possible tactics and countermeasures.
The hackers' first tactic is to obtain employee credentials for Microsoft 365, which would give them access to all applications in the Microsoft suite. Lookout's data shows that attackers are primarily accessing users through mobile channels such as SMS, social media platforms, third-party messaging apps, games and even dating apps.
According to data from Lookout, an average of 15.5 percent of enterprise users were exposed to phishing attacks per quarter in 2021. That compares to 10.25 percent in 2020. Phishing is clearly a growing problem for any organization.
Because Microsoft 365 is such a widely used platform, it's not very difficult for attackers to create social engineering campaigns that target users via malicious Word files and fake login pages. The second tactic is to compromise a third party, such as a contractor, to gain access to the company's Teams platform. This highlights the importance of performing a detailed security audit of every third-party software, person, and team to ensure their safety.
How serious are these attacks?
Advertising
According to Lookout's study, a successful attack could lead to a complete takeover of the device. Since there is a high likelihood that an attacker initially gained access through phishing, they could eventually gain possession of a trusted device and trusted credentials. This is a malicious combination that could allow an attacker to access any data the user and device have access to.
Once the attacker has penetrated the infrastructure, he can move laterally and find where the most valuable data assets are hidden. From there, he could encrypt that data to launch a ransomware attack or exfiltrate it for sale on the dark web. This attack chain is why organizations need visibility and access control over users, their devices, the applications they want to access and the data stored within.
Recommended protective measures
The nature of this attack, according to Lookout, demonstrates the importance of protecting all endpoints, cloud resources and on-premises or private applications across the enterprise infrastructure. However, keeping track of how users and devices interact with applications and data is becoming increasingly difficult as the network perimeter disappears as the traditional boundary of the enterprise environment.
Therefore, deploying a unified platform that addresses both mobile and PC endpoints, as well as cloud services and private or on-prem applications, is necessary, according to Lookout. This is the only way to provide the level of visibility and protection required against today's modern threat landscape, it said.
To stay ahead of attackers looking to exploit this attack chain, organizations everywhere should implement mobile device security with Mobile Threat Defense (MTD) and protect cloud services with Cloud Access Security Broker (CASB). They also need to monitor web traffic with a Secure Web Gateway (SWG) and implement modern security policies for their on-prem or private applications with Zero Trust Network Access (ZTNA).
Attacks targeting platforms exhibit similar tactics
Attacks targeting specific platforms have their nuances, but the general tactics are obviously very similar. Slack and Teams also let you run public channels that you don't have to be part of the company to participate in. This poses a massive risk to the organization – both for unauthorized access and data loss. The tactics used to gain access to both of these platforms, as well as collaboration platforms and other applications, are generally quite similar. The fact is that phishing is the most viable option for threat actors today.
If an attacker has legitimate credentials to log into enterprise applications, they are less likely to be noticed and stopped. Enterprises therefore need a modernized security strategy capable of detecting anomalous logins, file activity and user behavior.
