- Sophos’ researchers said they saw two groups taking part in email bombings
- At least 15 organizations were targeted in the last three months
- The goal is to steal sensitive data and deploy ransomware
At least two threat actor groups are running email bombing campaigns against several organizations in the West trying to steal their data and deploy ransomware.
Cyber security researchers Sophox X-Ops have observed more than 15 such incidents in the past three months, with half of them occurring in the past two weeks, suggesting that criminals are gaining momentum.
Email bombing is not a new tactic. It involves “bombarding” the victim with hundreds if not thousands of emails in a very short period of time before the attackers contact the victims posing as an IT administrator or network support worker.
Russian hackers
The attackers reportedly reach out through Microsoft Teams or similar online collaboration tools and offer to fix the problem. If the victim takes the bait, the attackers would require access to Quick Assist or Microsoft Teams screen sharing to take control of their target’s computers. Once gained access, the attackers will deploy ransomware, the researchers said.
While Sophos X-Ops did not confidently attribute the attacks to specific groups, it said it “uncovered links” between one of the threat actors and Fin7 – a known Russian financially motivated hacking collective.
The second group is apparently linked to Storm-1811, another financially motivated cybercriminal group. This collective is known to deploy Black Basta ransomware through sophisticated social engineering attacks and was previously observed impersonating IT staff.
For Sean Gallagher, lead threat researcher at Sophos, the key to the problem is that Teams’ default configuration allows individuals outside an organization to chat with or call internal staff within a company.
“Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person labeled as ‘Help Desk Manager’ may not set off alarm bells, especially when combined with an overwhelming spam email,” Gallagher said.
“As Sophos continues to see new MDR and IR cases associated with these tactics, we want companies using Microsoft 365 to be on high alert. They should check company-wide configurations, block external account messages if possible, and block remote access tools and remote machine management tools that are not regularly used by their organizations.”
