The organization issues advisory for Desktop and web version of Microsoft Teams application
In its advisory, CERT mentioned that in email extortion campaign, the scammers have sent numerous emails to people stating that their computers were hacked, a video was taken using their webcam and that they know their passwords.
As per CERT, the scanner would try to grab the recipient’s attention by writing their old password in the mail. After that, the scammer would craft a story containing computer jargons in order to convince the recipient that the scammeris a very skilled hacker, which could look the following:
“Well, I actually placed a malware on the port website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account and email account.”
This could be the final step before asking for ransom, so here the scammer would claim to have recorded personal video(s) by compromising the recipient’s webcam, which could look the following:
“What exactly did I do?
I made a split-screen video, First part recorded the video you wee viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).”
Now, the scammer will aks for the ransom in the form of Bitcoin (BTC), etc.
Lastly, the scammer will give the deadline of 24 hours to comply and threaten to send to their relatives, coworkers, etc.
CERT advises: although, the listed passwords are in many cases actual passwords used by the recipient in the past, but the attacker does not know them by hacking your account, but rather through leaked data breaches shared online. These emails are fake, scams and, nothing to worry about.
The organization laid out some best practicies to the recipients of such mails i.e.: Recipients should not send any payments to the scammers. If the passwords listed are in use or familiar, recipients are advised to change the password at any site that they are being used.
Adam Palmer, Chief Security Strategist at Tenable, said, “Phishing emails that are intended to scare email recipients into believing that a bad actor holds personal information about them are one of the oldest “tricks in the book”. However, these types of attacks still have the potential to threaten a corporate environment if a bad actor attempts to extort data about an organisation from an employee or infect a network with malicious links in the phishing message. The good news is that typically, the malware delivered by phishing messages will try to exploit well-known common vulnerabilities. Criminals like easy ‘low hanging fruit.’”
“The good news is that typically, the malware delivered by phishing messages will try to exploit well-known common vulnerabilities. Criminals like easy ‘low hanging fruit.”
Adam Palmer, Chief Security Strategist, Tenable
“The best way for an organisation to defend against this type of attack, in addition to user awareness, is to practice good cyber hygiene – such as by identifying critical risks and patching systems with common vulnerabilities favoured by criminals, blocking malicious sites and IP addresses, enforcing multi-factor authentication and using encryption for sensitive data. These recommendations make it far harder for criminals to be successful,” added Adam.
Along with this, CERT also had issued an advisory against vulnerability of Microsoft Teams Application yesterday (30th April) that the attack requires a succesful trakeover of a vulnerable Microsoft subdomain coupled with exploitation of Microsoft Teams authenticaiton system. An attacker could exploit this weakness to create a malicious link of GIF file. As Teams processes this, an authentication token is generated. The attack simply involved tricking a victim into clicking the link or viewing a malicous GIF image and their token is sent to the attacker. Once they have obatained the token, the attacker can use it ot hijack the victim’s account through the Team API interfaces. The attacker can use this method to read the user’s Teams messagees, send messages on their behalf, create groups, add or remove users from a group, and change group permissions.
However, CERT confirms that Microsoft has pactched this vulnerability by deleting the misconfigured DMS records of the sub domains.
However as a piece of advice, the organization says: “Organizations are advised to keep libraries upto date, patch software revularly, setup strong authentication processes for all users and maintain secure domains. Developers involved in building such systems are suggested to follow secure coding practices and development hygiene while designing such tools.”