In a statement published today, Microsoft has rebuffed rumors that its Microsoft Teams communication and collaboration platform is being used by cyber-criminal gangs to plant ransomware on company networks.
Like all rumors, their origin is unknown, but they began circulating online in early November after several companies across Spain were infected with the DoppelPaymer ransomware.
“Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymer ransomware,” said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).
“There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads,” Pope said.
“Our security research teams have investigated and found no evidence to support these claims,” the Microsoft exec said. “In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network.”
Besides rejecting rumors that somehow Microsoft Teams were involved, Pope also addressed a second set of rumors that has also been going around on social media.
These second rumors claimed that cyber-criminals might have used the BlueKeep RDP vulnerability to install the DoppelPaymer ransomware, also in reference to the same attacks detected across Spain.
This is a first-of-its-kind move from the company. Microsoft has never until today issued such a stern statement to correct (such blatantly false) online rumors.
In hindsight, both rumors should have never caught on as they did, with some being repeated in some news media articles, and could have been easily disproved.
First, the DoppelPaymer ransomware is a version of the BitPaymer ransomware, and, historically, has been exclusively distributed via the Dridex botnet or the Emotet botnets (or both).
Computers infected with either the Dridex or Emotet malware are in some cases used to provide ransomware gangs with manual access to companies’ internal networks. Here, as Pope explained above, attackers extract credentials for the company’s internal network to spread laterally to other systems and then install DoppelPaymer on as many systems as they can.
Second, all the attacks were the BlueKeep vulnerability was deployed had the end goal of installing a cryptocurrency miner, something that was made clear by the two researchers who spotted and investigated the initial BlueKeep attacks [1, 2], and even Microsoft itself.
There has yet to be a publicly documented case where BlueKeep has been used to install ransomware.
As security researcher Kevin Beaumont and Rapid7 Chief Data Scientist Bob Rudis have iterated on many occasions, most of the malicious RDP traffic today is RDP brute-force attacks, and not BlueKeep-related exploitation traffic.