Cybercrime Gang Abuses Microsoft Quick Assist to Deploy Black Basta Ransomware
May 17, 20244 min read 分钟阅读
Share
Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users.
Attack Mechanism Revealed
Storm-1811 primarily employs voice phishing (Vishing) and spam email bombardment to lure target users into their trap. Impersonating IT support personnel, they contact victims by phone, claiming to help resolve computer issues and guide them to grant remote access via Quick Assist. Specifically, the attackers instruct the victims to press the shortcut CTRL+Windows+Q to launch Quick Assist and enter a security code. Once access is granted, the attackers gain full control over the victim’s computer.
After gaining control, the attackers use keyboard commands to download and install remote management tools (such as ScreenConnect and NetSupport Manager) and malicious software (including QBot and Cobalt Strike). These tools enable the attackers to move laterally within the victim’s network, expanding the scope of the attack.
Real-World Cases
1. A Financial Services
Company:A financial services company utilizing Managed Detection and Response (MDR) services fell victim to an attack. The attackers gained remote access by bombarding the administrator with spam emails and phishing calls, subsequently deploying Black Basta ransomware and encrypting critical financial data. Although the company took immediate action to recover the data, the incident resulted in losses amounting to millions of dollars.
2. A Healthcare Facility
The IT department of a healthcare facility received a call from someone posing as technical support, requesting to resolve system issues via Quick Assist. Trusting the call, the IT team granted access, allowing the attackers to take control of the entire medical system and encrypt patient records and medical data. This attack not only inflicted millions of dollars in financial losses but also severely disrupted patient care.
Microsoft’s Response
Microsoft has acknowledged the misuse of Quick Assist and is investigating these attacks. They plan to enhance the security of Quick Assist by adding warning messages and increasing transparency and trust between users. Microsoft advises users and organizations to block or uninstall Quick Assist and other remote management tools if not in use, to reduce the risk of such social engineering attacks.
Additionally, Microsoft has provided a comprehensive set of compromise indicators and threat-hunting queries to help customers detect malicious activities in their networks. For example, monitoring for suspicious cURL behavior or the potential malicious use of proxies and tunnel tools can aid in early detection and prevention of attacks.
Preventive Measures
To safeguard against similar social engineering attacks, cybersecurity experts recommend that users and organizations increase security awareness training, remain vigilant against unsolicited calls, and verify the legitimacy of technical support requests. Regularly reviewing and updating security policies and ensuring strict control over the use of remote management tools are also crucial.
The recent attacks by the Storm-1811 gang leveraging Quick Assist highlight the critical need for robust cybersecurity measures and heightened awareness. Both enterprises and individual users must work together to create a safer digital environment.
According to CNN’s report, on Tuesday, Meta’s platforms, including Facebook and Instagram, experienced a widespread outage due to what the company described as a “technical issue.” The disruption affected thousands of users but was resolved within approximately two hours. According to outage tracker Downdetector, as many as 500,000 Facebook users encountered problems logging in or …
Have you ever received a notification about a Google account recovery attempt? Be careful! It could be the start of a new AI-driven scam. Recently, a Gmail user fell victim to such a meticulously crafted scam where fraudsters used AI-generated human-like voices combined with phishing emails to gradually lure the victim into providing sensitive information. …
In a recent cybersecurity incident, former Amazon security engineer Shakeeb Ahmed received a three-year prison sentence for hacking two cryptocurrency exchanges and stealing over $12 million. This case underscores the critical importance of robust cybersecurity measures for Enterprises operating in the digital landscape. Ahmed’s hacking techniques, including smart contract reverse engineering and blockchain audit skills, …
Cybercrime Gang Abuses Microsoft Quick Assist to Deploy Black Basta Ransomware
Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users.
Attack Mechanism Revealed
Storm-1811 primarily employs voice phishing (Vishing) and spam email bombardment to lure target users into their trap. Impersonating IT support personnel, they contact victims by phone, claiming to help resolve computer issues and guide them to grant remote access via Quick Assist. Specifically, the attackers instruct the victims to press the shortcut CTRL+Windows+Q to launch Quick Assist and enter a security code. Once access is granted, the attackers gain full control over the victim’s computer.
After gaining control, the attackers use keyboard commands to download and install remote management tools (such as ScreenConnect and NetSupport Manager) and malicious software (including QBot and Cobalt Strike). These tools enable the attackers to move laterally within the victim’s network, expanding the scope of the attack.
Real-World Cases
1. A Financial Services
Company:A financial services company utilizing Managed Detection and Response (MDR) services fell victim to an attack. The attackers gained remote access by bombarding the administrator with spam emails and phishing calls, subsequently deploying Black Basta ransomware and encrypting critical financial data. Although the company took immediate action to recover the data, the incident resulted in losses amounting to millions of dollars.
2. A Healthcare Facility
The IT department of a healthcare facility received a call from someone posing as technical support, requesting to resolve system issues via Quick Assist. Trusting the call, the IT team granted access, allowing the attackers to take control of the entire medical system and encrypt patient records and medical data. This attack not only inflicted millions of dollars in financial losses but also severely disrupted patient care.
Microsoft’s Response
Microsoft has acknowledged the misuse of Quick Assist and is investigating these attacks. They plan to enhance the security of Quick Assist by adding warning messages and increasing transparency and trust between users. Microsoft advises users and organizations to block or uninstall Quick Assist and other remote management tools if not in use, to reduce the risk of such social engineering attacks.
Additionally, Microsoft has provided a comprehensive set of compromise indicators and threat-hunting queries to help customers detect malicious activities in their networks. For example, monitoring for suspicious cURL behavior or the potential malicious use of proxies and tunnel tools can aid in early detection and prevention of attacks.
Preventive Measures
To safeguard against similar social engineering attacks, cybersecurity experts recommend that users and organizations increase security awareness training, remain vigilant against unsolicited calls, and verify the legitimacy of technical support requests. Regularly reviewing and updating security policies and ensuring strict control over the use of remote management tools are also crucial.
The recent attacks by the Storm-1811 gang leveraging Quick Assist highlight the critical need for robust cybersecurity measures and heightened awareness. Both enterprises and individual users must work together to create a safer digital environment.
Related Posts
Facebook and Instagram outage: Widespread disruption resolved
According to CNN’s report, on Tuesday, Meta’s platforms, including Facebook and Instagram, experienced a widespread outage due to what the company described as a “technical issue.” The disruption affected thousands of users but was resolved within approximately two hours. According to outage tracker Downdetector, as many as 500,000 Facebook users encountered problems logging in or …
Beware of AI Scams in Gmail: How to Prevent Phishing Attacks
Have you ever received a notification about a Google account recovery attempt? Be careful! It could be the start of a new AI-driven scam. Recently, a Gmail user fell victim to such a meticulously crafted scam where fraudsters used AI-generated human-like voices combined with phishing emails to gradually lure the victim into providing sensitive information. …
Strengthening Cybersecurity Measures: Lessons from the Ex-Amazon Engineer’s Crypto Exchange Hacking Case
In a recent cybersecurity incident, former Amazon security engineer Shakeeb Ahmed received a three-year prison sentence for hacking two cryptocurrency exchanges and stealing over $12 million. This case underscores the critical importance of robust cybersecurity measures for Enterprises operating in the digital landscape. Ahmed’s hacking techniques, including smart contract reverse engineering and blockchain audit skills, …