Excerpt from TheHackerNews Article, Published on May 16, 2024
Microsoft’s Threat Intelligence team has reported that a cybercriminal group named Storm-1811 is exploiting the Quick Assist tool to execute ransomware attacks. The group, known for deploying Black Basta ransomware, uses voice phishing to deceive victims into installing remote monitoring and management (RMM) tools, which subsequently deliver malware such as QakBot and Cobalt Strike.
Quick Assist, a legitimate Microsoft application pre-installed on Windows 11 devices, is designed for remote technical support. However, Storm-1811 misuses it to impersonate trusted contacts like Microsoft support or company IT professionals, gaining initial access to victims’ devices. The attack begins with link listing, where victims’ email addresses are inundated with legitimate subscription emails, creating an opportunity for the attackers to pose as IT support. Through phone calls, they convince victims to use Quick Assist to address the spam issue, thus gaining remote access.
Once access is granted, attackers run commands to download malicious files, enabling further actions like domain enumeration and lateral movement. Eventually, they deploy Black Basta ransomware across the network using tools like PsExec. Microsoft is responding by enhancing Quick Assist with warning messages to alert users about potential tech support scams. The attacks, which began in mid-April 2024, have targeted various industries, including manufacturing, construction, food and beverage, and transportation.
Rapid7’s senior manager of incident response services, Robert Knapp, emphasized the ease and effectiveness of such attacks. He noted the importance of addressing the stages leading to ransomware deployment to mitigate the threat. According to Microsoft, Black Basta is a “closed ransomware offering” that a small number of actors distribute with the help of other actors for initial access and infrastructure. Since its emergence in April 2022, Black Basta has often gained access via QakBot and other malware.
Organizations are advised to disable or uninstall Quick Assist if not in use and educate employees about recognizing tech support scams to enhance their security posture.
To delve deeper into this topic, please read the full article on TheHackerNews
