Microsoft Thwarts Over 200 Ransomware Attacks Targeting "Teams" Users

Microsoft has successfully thwarted an advanced cyber campaign of "ransomware" (Ransomware) attacks targeting users of its collaboration platform "Teams". The primary response involved revoking over two hundred digital signing certificates that were used to impersonate a fake company for distributing malicious software.

Investigations revealed that the hacking group "Vanilla Tempest", also known as "VICE SPIDER" and "Vice Society", is behind these attacks that began in early October. The financially motivated group, which targets the education, healthcare, and technology sectors, relied on deceiving users through fake domains mimicking the official "Teams" platform.

The aim of these deceptive domains was to install a counterfeit "Teams" application, which acted as a gateway for deploying malicious software named "Bleeping Computer". Microsoft warned that this software, "when executed, grants hackers remote access to infected devices, allowing them to pull files, execute commands, and download additional malicious software."

"Vanilla Tempest" employed an advanced obfuscation technique, as it "exploited a trusted digital signature to mislead security systems and make the malicious software appear legitimate." This approach enabled them to bypass the defenses of many potential victims.

After the threat was discovered, Microsoft acted decisively by revoking the permissions of over 200 digital certificates that were used to sign the malicious installers. This action led to "the loss of trustworthiness of these installers, making them subject to scrutiny and detection by security systems." Additionally, "the attackers' ability to hide behind trusted digital signatures was diminished, hindering the spread of malicious software through the deceptive channels that had been set up."

Despite the success in disrupting a significant part of the campaign, Microsoft warns users that "there is still a risk of future attempts adopting new models to deceive users through digital obfuscation."

Amid ongoing threats, the company emphasizes the importance of security vigilance, advising users to carefully verify the source of any link before downloading software, and to avoid clicking on untrusted ads or links claiming to provide official installations. It also stressed the need to run and continuously update security programs. For organizations, it recommends adopting stricter security policies that include tightening access to software signatures and enforcing multi-factor authentication when installing applications.