Storm-1811 Exploits Quick Assist for Social Engineering, Paving Way for Black Basta Ransomware

Storm-1811
Quick Assist dialog box asking permission to allow screen sharing

Microsoft Threat Intelligence has uncovered a sophisticated ransomware campaign orchestrated by the cybercriminal group Storm-1811. This nefarious scheme involves a novel tactic of exploiting Microsoft’s Quick Assist, a legitimate remote assistance tool, to gain unauthorized access to victims’ devices.

The attack chain begins with a seemingly innocuous phone call. Storm-1811 members, masquerading as trusted figures like IT professionals or Microsoft support agents, engage in voice phishing (vishing) tactics to manipulate unsuspecting individuals into granting them access through Quick Assist. Once the connection is established, the attackers seize control, opening the floodgates for a series of malicious activities.

Quick Assist dialog box asking permission to allow screen sharing

Microsoft’s investigation has revealed a meticulously planned attack sequence following the initial compromise. Storm-1811 swiftly deploys a range of malicious tools, including Qakbot, Cobalt Strike, and remote monitoring and management (RMM) software like ScreenConnect and NetSupport Manager. These tools enable the attackers to maintain persistent access, conduct reconnaissance within the network, and ultimately unleash the devastating Black Basta ransomware.

This ransomware, known for its exclusivity and severe impact, is typically preceded by extensive groundwork within the compromised network:

  • Lateral Movement: Tools like ScreenConnect facilitate movement within the network, allowing the threat actors to map out the environment and plan their attack.
  • Persistence: Utilizing NetSupport Manager and sometimes SSH tunnels via OpenSSH, the attackers maintain their hold on the network.
  • Ransomware Deployment: Finally, using tools like PsExec, Black Basta ransomware is spread across the network, encrypting data and demanding ransom.

To counteract the misuse of Quick Assist and the subsequent risk of ransomware, Microsoft and cybersecurity experts recommend several strategies:

  1. Educational Programs: Teaching employees how to recognize and respond to social engineering attacks is crucial. This includes scrutinizing the legitimacy of unexpected tech support calls and verifying identities before granting access.
  2. Tool Restrictions: For organizations that do not require remote assistance tools like Quick Assist, disabling or uninstalling these applications can reduce vulnerability.
  3. Enhanced Monitoring: Deploying advanced monitoring solutions like Microsoft Defender for Endpoint can help detect unusual activities stemming from Quick Assist sessions.
  4. Security Updates: Keeping systems updated with the latest security patches and encouraging the use of strong, unique passwords for all accounts.