ALBAWABA - Microsoft said it was able to stop a big ransomware campaign that was going after users of its collaboration platform, Microsoft Teams. This was possible because the company found a network of fake installers that were signed with fake digital certificates.
The company said it took back more than 200 compromised digital signatures that were being used to spread malware that looked like real Teams apps. This stopped attackers from using trusted security credentials to spread malware.
Microsoft says that the campaign started in early October by a group of hackers who were only interested in making money. They are known as "Vanilla Tempest," "VICE SPIDER," or "Vice Society."
The attackers set up fake domains that looked like Microsoft's official Teams website. This tricked people into downloading a fake version of the app. Once the fake software was installed, it sent out a type of malware called "Bleeping Computer" that let hackers access the computer from afar.
The bad software let hackers take over infected devices, steal private information, run commands from afar, and add more dangerous tools. Microsoft said that the hackers used real digital certificates to make their software look safe, which let them get around a lot of security checks.
Vanilla Tempest has a history of attacking schools, hospitals, tech companies, and factories with ransomware. In the past, they have used malware like BlackCat, Quantum Locker, and Zeppelin.
Microsoft Takes Back 200 Certificates to Stop the Attack
Microsoft responded by canceling more than 200 digital certificates connected to the operation. This made it impossible for the attackers to spread trusted malicious installers right away.
The company said, "Once these certificates were revoked, the fake apps lost their credibility and were flagged by most security systems." This move greatly slowed the spread of the ransomware campaign.
Microsoft did say, though, that similar attacks could happen again, but with different ways of pretending to be trusted platforms or services.
Microsoft says to be careful and boost security
The company told people to only download Teams from official Microsoft sites and to check URLs before clicking. It also told people and businesses to keep their antivirus software up to date, scan files they download, and not click on ads or links that look suspicious and might lead to fake installations.
Microsoft suggested that businesses make it harder to get software signing certificates and use multi-factor authentication (MFA) when installing software.
Microsoft warned that "cybercriminals are always changing," stressing the need for users to be on the lookout for and actively defend against ransomware campaigns that are becoming more advanced.
