Hackers have been exploiting vulnerabilities in remote assist tools like Quick Assist for social engineering attacks, with the financially motivated cybercriminal group Storm-1811 using this tactic for ransomware campaigns since mid-April 2024.

Description

By impersonating trusted entities such as Microsoft support or IT professionals [6], Storm-1811 deceives users through voice phishing tactics, tricking them into granting access to their Windows devices. The group initiates their attacks by overwhelming targets with unsolicited emails and gaining access to victims’ devices, downloading malicious files that lead to the installation of Qakbot [7], RMM tools like ScreenConnect and NetSupport Manager [7], and the Cobalt Strike toolkit [7]. They then conduct domain enumeration and lateral movement within the victim’s network before deploying the Black Basta ransomware using PsExec [7]. To mitigate such threats [3] [4] [8], Microsoft recommends educating users on recognizing and reporting tech support scams [2] [6], as well as blocking or uninstalling remote management tools like Quick Assist when not in use [6]. Microsoft Defender for Endpoint can detect malicious activity from Quick Assist sessions [7], while Microsoft Defender Antivirus can detect associated malware components [7]. Organizations can further protect themselves by raising awareness, implementing recommended mitigations [2] [6], investing in anti-phishing solutions [1] [7], enabling network protection [5] [7], and turning on tamper protection features to prevent attackers from stopping security services [7]. Advanced protection against ransomware [7], privilege access management solutions with a zero-trust architecture [4], advanced employee training on spotting vishing and social engineering attacks [4], and utilizing event monitoring and advanced email solutions are also advised.

Conclusion

Microsoft Threat Intelligence has uncovered a ransomware campaign by cybercriminal group Storm-1811 [3], using Quick Assist for unauthorized access [3]. The attackers use vishing tactics to gain control and deploy malicious tools like Qakbot and Cobalt Strike [3]. They then deploy Black Basta ransomware after conducting lateral movement and maintaining persistence within the network [3]. To mitigate this threat [3] [8] [9], Microsoft recommends strategies like implementing a Quick Assist dialog box for permission to allow screen sharing [3]. Microsoft is investigating the use of Quick Assist in these attacks and recommends investing in advanced anti-phishing solutions to detect and mitigate such activity [1]. To minimize the risk of these attacks [1], Microsoft recommends blocking or uninstalling Quick Assist and other remote management tools when not in use [1], and disconnecting immediately if suspicious activity is detected [1].

References

[1] https://www.devdiscourse.com/article/technology/2939945-cybercriminals-misusing-quick-assist-to-perform-social-engineering-attacks
[2] https://ciso2ciso.com/windows-quick-assist-exploited-in-ransomware-attacks-source-www-infosecurity-magazine-com/
[3] https://securityonline.info/storm-1811-exploits-quick-assist-for-social-engineering-paving-way-for-black-basta-ransomware/
[4] https://www.darkreading.com/threat-intelligence/windows-quick-assist-anchors-black-basta-ransomware
[5] https://cybersecuritynews.com/hackers-exploiting-quick-assist-ransomware/
[6] https://www.infosecurity-magazine.com/news/windows-quick-assist-exploited/
[7] https://winbuzzer.com/2024/05/16/storm-1811-abuses-windows-quick-assist-in-sophisticated-ransomware-attacks-xcxwbn/
[8] https://dailywrap.uk/storm-1811-scammers-exploit-quick-assist-in-windows-11-ransomware-spree,7028187781318785a
[9] https://cybermaterial.com/storm-1811s-quick-assist-cyber-attacks/