Cybercrime Gang Abuses Microsoft Quick Assist to Deploy Black Basta Ransomware
May 17, 20244 min read 分钟阅读
Share
Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users.
Attack Mechanism Revealed
Storm-1811 primarily employs voice phishing (Vishing) and spam email bombardment to lure target users into their trap. Impersonating IT support personnel, they contact victims by phone, claiming to help resolve computer issues and guide them to grant remote access via Quick Assist. Specifically, the attackers instruct the victims to press the shortcut CTRL+Windows+Q to launch Quick Assist and enter a security code. Once access is granted, the attackers gain full control over the victim’s computer.
After gaining control, the attackers use keyboard commands to download and install remote management tools (such as ScreenConnect and NetSupport Manager) and malicious software (including QBot and Cobalt Strike). These tools enable the attackers to move laterally within the victim’s network, expanding the scope of the attack.
Real-World Cases
1. A Financial Services
Company:A financial services company utilizing Managed Detection and Response (MDR) services fell victim to an attack. The attackers gained remote access by bombarding the administrator with spam emails and phishing calls, subsequently deploying Black Basta ransomware and encrypting critical financial data. Although the company took immediate action to recover the data, the incident resulted in losses amounting to millions of dollars.
2. A Healthcare Facility
The IT department of a healthcare facility received a call from someone posing as technical support, requesting to resolve system issues via Quick Assist. Trusting the call, the IT team granted access, allowing the attackers to take control of the entire medical system and encrypt patient records and medical data. This attack not only inflicted millions of dollars in financial losses but also severely disrupted patient care.
Microsoft’s Response
Microsoft has acknowledged the misuse of Quick Assist and is investigating these attacks. They plan to enhance the security of Quick Assist by adding warning messages and increasing transparency and trust between users. Microsoft advises users and organizations to block or uninstall Quick Assist and other remote management tools if not in use, to reduce the risk of such social engineering attacks.
Additionally, Microsoft has provided a comprehensive set of compromise indicators and threat-hunting queries to help customers detect malicious activities in their networks. For example, monitoring for suspicious cURL behavior or the potential malicious use of proxies and tunnel tools can aid in early detection and prevention of attacks.
Preventive Measures
To safeguard against similar social engineering attacks, cybersecurity experts recommend that users and organizations increase security awareness training, remain vigilant against unsolicited calls, and verify the legitimacy of technical support requests. Regularly reviewing and updating security policies and ensuring strict control over the use of remote management tools are also crucial.
The recent attacks by the Storm-1811 gang leveraging Quick Assist highlight the critical need for robust cybersecurity measures and heightened awareness. Both enterprises and individual users must work together to create a safer digital environment.
The technological landscape is evolving at an unprecedented rate, marking a new era of innovation and digital transformation. In 2024, staying abreast of emerging technology trends is not just advisable; it’s imperative for professionals aiming to remain relevant in a rapidly changing world. Here are key trends that are shaping the future and tips on …
Sumsub’s latest identity fraud report reveals a 121% rise in APAC identity fraud and a 194% surge in deepfake incidents. Explore the growing FaaS threat and strategies to combat digital fraud challenges.
According to CNN’s report, on Tuesday, Meta’s platforms, including Facebook and Instagram, experienced a widespread outage due to what the company described as a “technical issue.” The disruption affected thousands of users but was resolved within approximately two hours. According to outage tracker Downdetector, as many as 500,000 Facebook users encountered problems logging in or …
Cybercrime Gang Abuses Microsoft Quick Assist to Deploy Black Basta Ransomware
Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users.
Attack Mechanism Revealed
Storm-1811 primarily employs voice phishing (Vishing) and spam email bombardment to lure target users into their trap. Impersonating IT support personnel, they contact victims by phone, claiming to help resolve computer issues and guide them to grant remote access via Quick Assist. Specifically, the attackers instruct the victims to press the shortcut CTRL+Windows+Q to launch Quick Assist and enter a security code. Once access is granted, the attackers gain full control over the victim’s computer.
After gaining control, the attackers use keyboard commands to download and install remote management tools (such as ScreenConnect and NetSupport Manager) and malicious software (including QBot and Cobalt Strike). These tools enable the attackers to move laterally within the victim’s network, expanding the scope of the attack.
Real-World Cases
1. A Financial Services
Company:A financial services company utilizing Managed Detection and Response (MDR) services fell victim to an attack. The attackers gained remote access by bombarding the administrator with spam emails and phishing calls, subsequently deploying Black Basta ransomware and encrypting critical financial data. Although the company took immediate action to recover the data, the incident resulted in losses amounting to millions of dollars.
2. A Healthcare Facility
The IT department of a healthcare facility received a call from someone posing as technical support, requesting to resolve system issues via Quick Assist. Trusting the call, the IT team granted access, allowing the attackers to take control of the entire medical system and encrypt patient records and medical data. This attack not only inflicted millions of dollars in financial losses but also severely disrupted patient care.
Microsoft’s Response
Microsoft has acknowledged the misuse of Quick Assist and is investigating these attacks. They plan to enhance the security of Quick Assist by adding warning messages and increasing transparency and trust between users. Microsoft advises users and organizations to block or uninstall Quick Assist and other remote management tools if not in use, to reduce the risk of such social engineering attacks.
Additionally, Microsoft has provided a comprehensive set of compromise indicators and threat-hunting queries to help customers detect malicious activities in their networks. For example, monitoring for suspicious cURL behavior or the potential malicious use of proxies and tunnel tools can aid in early detection and prevention of attacks.
Preventive Measures
To safeguard against similar social engineering attacks, cybersecurity experts recommend that users and organizations increase security awareness training, remain vigilant against unsolicited calls, and verify the legitimacy of technical support requests. Regularly reviewing and updating security policies and ensuring strict control over the use of remote management tools are also crucial.
The recent attacks by the Storm-1811 gang leveraging Quick Assist highlight the critical need for robust cybersecurity measures and heightened awareness. Both enterprises and individual users must work together to create a safer digital environment.
Related Posts
Navigating the Future: Top Technology Trends to Watch in 2024
The technological landscape is evolving at an unprecedented rate, marking a new era of innovation and digital transformation. In 2024, staying abreast of emerging technology trends is not just advisable; it’s imperative for professionals aiming to remain relevant in a rapidly changing world. Here are key trends that are shaping the future and tips on …
Identity Fraud on the Rise: Insights from Sumsub’s Annual Fraud Report
Sumsub’s latest identity fraud report reveals a 121% rise in APAC identity fraud and a 194% surge in deepfake incidents. Explore the growing FaaS threat and strategies to combat digital fraud challenges.
Facebook and Instagram outage: Widespread disruption resolved
According to CNN’s report, on Tuesday, Meta’s platforms, including Facebook and Instagram, experienced a widespread outage due to what the company described as a “technical issue.” The disruption affected thousands of users but was resolved within approximately two hours. According to outage tracker Downdetector, as many as 500,000 Facebook users encountered problems logging in or …