Windows Quick Assist abused in Black Basta ransomware attacks

Windows Quick Assist abused in Black Basta ransomware attacks

May 15, 2024 at 01:10PM

Financially-motivated cybercriminals are exploiting the Windows Quick Assist feature for social engineering attacks, deploying Black Basta ransomware on victims’ networks. Microsoft, Rapid7, and other security firms have observed the tactics of the threat group Storm-1811 and advise network defenders to block or uninstall Quick Assist and train employees to recognize tech support scams. Black Basta has been linked to a series of high-profile ransomware attacks, including breaches in the healthcare sector, with reported ransom payments totaling at least $100 million.

Key Takeaways from Meeting Notes:

– Financially motivated cybercriminals are exploiting the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims’ networks.
– Microsoft has actively been investigating this campaign since mid-April 2024, with the threat group identified as Storm-1811.
– The threat actors initiate attacks by email bombing the target, impersonating as Microsoft technical support or the company’s IT/help desk staff.
– During voice phishing attacks, the attackers trick victims into granting access to their Windows devices using Quick Assist remote control and screen-sharing tool.
– Following access, the threat actors run a scripted cURL command to download and deliver malicious payloads, including Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.
– After installing malicious tools, the attackers perform domain enumeration, move laterally through the victim’s network, and deploy Black Basta ransomware using the Windows PsExec telnet-replacement tool.
– Cybersecurity company Rapid7 highlights that the malicious actors use a batch script to harvest victim credentials and exfiltrate them to the threat actor’s server.
– Microsoft advises network defenders to block or uninstall Quick Assist and similar tools if not used and train employees to recognize tech support scams.
– Black Basta, a Ransomware-as-a-Service (RaaS) operation believed to have emerged from the Conti cybercrime group, has breached high-profile victims and collected at least $100 million in ransom payments from over 90 victims until November 2023.
– Black Basta affiliates have breached 500+ organizations between April 2022 and May 2024, targeting at least 12 out of 16 critical infrastructure sectors and specifically accelerating attacks against the healthcare sector.

These takeaways outline the severity of the threat posed by the Black Basta ransomware operation and highlight the proactive measures and awareness needed to counter these social engineering attacks.

Full Article