The Isogent Security Insights team has recently become aware of a concerning trend in cybersecurity that warrants attention. While we did not identify the vulnerability ourselves, it’s crucial to inform our audience about its existence and potential impact on their cybersecurity posture. This vulnerability is a concerning trend involving the misuse of Microsoft’s Quick Assist tool by a threat actor known as Storm-1811. Storm-1811, recognized for its involvement in deploying Black Basta ransomware, has been observed leveraging Quick Assist in social engineering attacks targeting unsuspecting users.
In these attacks, threat actors impersonate trusted entities such as Microsoft technical support or IT professionals from the target user’s company to gain initial access to the victim’s device. Once access is granted, the adversaries proceed to execute a series of malicious activities, including the deployment of remote monitoring and management (RMM) tools, followed by the delivery of QakBot, Cobalt Strike, and ultimately Black Basta ransomware.
To make their attacks more convincing, threat actors engage in link listing attacks, flooding victims’ inboxes with subscribed content to create a sense of urgency and legitimacy. Subsequently, they contact the target users, posing as IT support personnel, and persuade them to grant access to their devices through Quick Assist under the guise of assisting with spam remediation.
Once access is obtained, the threat actors execute scripted commands to download and deploy malicious payloads, facilitating further intrusion activities such as domain enumeration and lateral movement. Ultimately, Black Basta ransomware is deployed throughout the network, leading to significant disruptions and financial losses for affected organizations.
Isogent advises organizations to remain vigilant and take proactive measures to mitigate the risk of falling victim to such attacks. This includes blocking or uninstalling Quick Assist and similar remote monitoring tools when not in use, as well as providing comprehensive training to employees to recognize and report potential tech support scams.
By staying informed and implementing robust security practices, organizations can effectively defend against evolving cyber threats and safeguard their critical assets from exploitation.
