A recent wave of cyberattacks has seen financially motivated criminals leveraging Windows Quick Assist, a built-in remote control and screen-sharing tool, to deploy Black Basta ransomware on victim networks. Microsoft has investigated these attacks since mid-April 2024, identifying the threat group behind them as Storm-1811.
The attacks typically begin with email bombing, where the target’s inbox is flooded with spam emails. This overload is followed by a phone call from the attackers, who impersonate Microsoft technical support or the victim’s IT help desk. They offer to help resolve the spam issue, tricking victims into granting remote access via Quick Assist.
Once access is granted, the attackers execute a scripted command to download malicious files, including Qakbot malware, remote monitoring tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike framework. These tools enable the attackers to perform domain enumeration and move laterally across the network. Eventually, they deploy Black Basta ransomware using PsExec, a telnet-replacement tool.
Rapid7, a cybersecurity company that also detected these attacks, noted that attackers use batch scripts to harvest credentials from the command line using PowerShell. These credentials are often exfiltrated to the attackers’ server via Secure Copy (SCP). In some cases, credentials are saved to an archive for later retrieval.
To mitigate these attacks, Microsoft advises organisations to disable or uninstall Quick Assist and similar remote tools if they are not used. Employees shou
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.