Microsoft Teams Users Beware of a Cobalt Strike
Microsoft recently issued a warning that cybercriminals are using Cobalt Strike to infect entire networks beyond the infection point. The decoy choice is ads promoting fake Microsoft Teams updates. Once a user clicks to update, hackers are deployed backdoors and are using Cobalt Strike to infect networks with malware.
Cobalt Strike is a powerful platform for conducting offensive cyber operations. It contains a wide variety of tools for conducting spear phishing and web drive-by attacks to gain initial access. Cybercriminals are using Cobalt Strike illegitimately by deploying an agent named ‘Beacon’ on the victim machine. This Beacon gives threat actors the capability to move laterally across a network beyond the initial system of infection and also installs a valid copy of Microsoft Teams on the system to appear legitimate and avoid alerting victims to the attack.
Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.
Microsoft is recommending people use web browsers to filter and block malicious websites. As a reminder, local admin passwords need to be strong and not easily guessed, so now would be a great time to check. We blogged last week about limiting global and domain admins and this is another testimony on why that is a great idea for overall security.
2W Tech is a technology service provider and Microsoft Gold Partner. Give us a call today to discuss with our security experts what steps your business should be taking to protect yourself again a Cobalt Strike. We have IT Consultants of staff that specialize in Security solutions, as well as the Microsoft 365 product suite and can help you combine the two for the best overall result.