Cyber attack by supposed IT support via MS Teams: An experience report

Sometimes you read about cyber attacks and think that something like that couldn’t happen to you – until it does. A case like this recently occurred. The attack clearly demonstrates how social engineering works and how even a rather unskilled attacker could cause significant damage.

How it all began: The spam wave

It all started with an employee being flooded with spam emails. It was simply impossible to work productively. In retrospect, this was probably the attacker’s first move. The flood of emails presumably created the ‘perfect’ scenario to prepare the next step: establishing contact.

The ‘supposed’ rescuer: contact via MS Teams

While the employee was still trying to deal with the chaos in his inbox, someone suddenly contacted him via MS Teams. At first glance, the contact seemed completely legitimate – after all, the person introduced themselves as IT support. The question of whether the problems with the emails were still there hit the stressed employee right where it hurt. The employee followed the instructions of the supposed helper.

‘Please download AnyDesk’

This is where the next step came in: the attacker asked the employee to download the remote management software AnyDesk. At first glance, nothing unusual here, right? But this is precisely where the trap struck. With the best of intentions, the employee granted access and, a short time later, the attacker was in the middle of a remote session.

The remote session: 1.5 hours in sight

The remote session lasted about 1.5 hours. During this time, the attacker carried out several activities:

  • The employee was asked to disclose his M365 password, which he unfortunately did.
  • A few documents were apparently exfiltrated, as later analysis of the AnyDesk logs showed. Fortunately, these were non-critical documents.
  • The attacker executed various commands to collect system information and identify vulnerabilities.

The commands showed an attempt to extract network information, registry details and possibly sensitive configurations.

The attacker’s unprofessionalism

Despite the successful remote session, the attacker showed little professionalism:

  • several PowerShell commands failed and some were simply written incorrectly.
  • The approach indicated that the attacker was probably using a playbook or script that he was copying and pasting blindly. Adaptation to the specific environment was completely lacking.

The same attack behaviour has previously been attributed to attackers using the BlackBasta Ransomware-as-a-Service. However, it could not be confirmed whether this is an affiliate of the ransomware. More information you can find here and here.

The turning point: the real IT support team gets in touch

After an hour and a half in the remote session, the company’s real IT support team finally called. This was the moment when the employee realized that something was wrong and interrupted the remote session. Fortunately, it was due to the unprofessional approach of the attacker that no serious damage was done. The computer was isolated and all passwords were reset.

Lessons Learned from the incident

Security Awareness training is essential:
The attack could have been prevented if the employees had been better trained. In particular, requests to install software should always be approached with caution
Restrictions for Remote Management tools:
Software like AnyDesk should not be able to be downloaded and installed easily. The attempted execution should be blocked and alerted. Whitelisting for permitted programs and pre-installing required software could prevent similar incidents in the future.
Technical protective measures:
Collaboration in platforms such as Microsoft Teams should be restricted to known and trusted organizations.
PowerShell activities should be monitored and restrictive guidelines for script execution should be implemented. For more information read our full articel about Forensic Readiness.

This incident may have ended lightly, but it clearly shows how important it is to be prepared on both a technical and human level. Social engineering is often the most effective way for attackers to achieve their goals – we must never forget that.

Share post on:

XING
Twitter
LinkedIn

Yasin Ilgar • Autor

Managing Cyber Defense Consultant

Yasin joined SECUINFRA\'s team in 2021 and is responsible for the further development of SECUINFRA\'s Incident Response Service. He specializes in the detection, analysis and remediation of security incidents in computer networks.

> all articles
Cookie Consent with Real Cookie Banner