Introduction
The Microsoft Threat Intelligence team has identified a new cyber threat from a financially motivated group known as Storm-1811. This group exploits Microsoft's Quick Assist tool to carry out sophisticated social engineering attacks. This article delves into the tactics, techniques, and procedures (TTPs) employed by Storm-1811 and offers recommendations for mitigating these threats.
Storm-1811 and Quick Assist: An Overview
Storm-1811, notorious for deploying Black Basta ransomware, has been observed using Quick Assist, a legitimate Microsoft client management tool, to target users. According to Microsoft's report published on May 15, 2024, the attack chain involves impersonation through voice phishing to trick victims into installing remote monitoring and management (RMM) tools, followed by the delivery of QakBot, Cobalt Strike, and ultimately Black Basta ransomware.
Attack Chain Analysis
Initial Access and Impersonation
The initial phase of the attack involves impersonation. Threat actors misuse Quick Assist by pretending to be trusted contacts, such as Microsoft technical support or an IT professional from the victim's company. This approach allows them to gain initial access to the target device.
Installation of RMM Tools
Once the trust is established, the attackers guide the victims to install RMM tools. This step is crucial as it sets the stage for delivering malicious payloads.
Delivery of Malicious Payloads
After gaining control through Quick Assist, the threat actors execute a scripted cURL command to download batch files or ZIP files containing malicious payloads. This delivery often includes QakBot and Cobalt Strike, which pave the way for deploying Black Basta ransomware.
Link Listing and Email Bombing
To add legitimacy to their attacks, Storm-1811 employs link listing attacks. This technique involves signing up the victim's email address for numerous legitimate subscription services, flooding their inbox with subscribed content. The attackers then pose as the company's IT support team, offering to help remediate the spam issue and requesting access via Quick Assist.
Hands-On-Keyboard Activities
With access granted, Storm-1811 conducts further malicious activities such as domain enumeration and lateral movement within the network. They utilize PsExec to deploy Black Basta ransomware across the network, maximizing the impact of their attack.
Microsoft's Response and Recommendations
Incorporating Warning Messages
Microsoft is actively working to counteract these attacks by incorporating warning messages in Quick Assist. These messages aim to alert users to potential tech support scams, thereby reducing the likelihood of successful social engineering attacks.
Organizational Recommendations
To mitigate these threats, organizations are advised to:
- Block or uninstall Quick Assist and similar RMM tools if they are not in use.
- Train employees to recognize and respond to tech support scams.
- Focus on attack stages prior to ransomware deployment to reduce the overall threat.
Conclusion
The sophisticated tactics employed by Storm-1811 highlight the evolving nature of cyber threats. By leveraging legitimate tools like Quick Assist, threat actors can execute complex social engineering attacks with significant impact. Organizations must stay vigilant, implementing robust security measures and educating their workforce to recognize potential threats. As cybercriminals continue to adapt, so must our defenses, ensuring a proactive stance against such malicious activities.
0 Comments