Introduction: As of November 2023, Black Basta has collected at least $100 million in ransom from more than 90 victims.
Cybercriminals abused the Windows Quick Assist feature in a social engineering attack to deploy the Black Basta ransomware payload on victims’ networks.
Microsoft has been investigating this activity since at least mid-April 2024, when they observed that the threat group (tracked as Storm-1811) began its attacks by bombarding targets with emails after subscribing their addresses to various email subscription services.
Once their mailboxes are flooded with unsolicited messages, the threat actors call them posing as Microsoft support agents or IT or help desk staff at the attacked company to help fix the spam problem.
In this voice phishing attack, attackers trick victims into granting access to their Windows devices by launching the Quick Assist built-in remote control and screen sharing tool.
“Once the user allows access and control, the threat actor runs scripted cURL commands to download a series of batch files or ZIP files used to deliver the malicious payload,” Microsoft said. In some cases, Microsoft Threat Intelligence has found that this type of activity has resulted in the download of RMM tools such as Qakbot, ScreenConnect and NetSupport Manager, as well as Cobalt Strike.
After installing the malicious tools and ending the call, Storm-1811 performs domain enumeration, moves laterally within the victim network, and deploys the Black Basta ransomware using the Windows PsExec telnet replacement tool.
Quick Assist screen sharing tips
Cybersecurity firm Rapid7, which also discovered the attacks, said the bad guys will use “batch scripts that use PowerShell to harvest the victim’s credentials from the command line.” The credentials are harvested under the false context of an ‘update’ that requires the user to log in. In most of the observed batch script variants, the credentials are immediately exfiltrated to the threat actor’s server via the secure copy command (SCP).
To thwart these attacks, Microsoft recommends that network defenders block or uninstall Quick Assist and similar remote monitoring and management tools when they’re not in use, and train employees to recognize tech support scams.
The goal of these attacks should only allow others to connect to their devices if they are in contact with their IT support staff or Microsoft Support, and immediately disconnect any Quick Assist sessions if malicious intent is suspected.
Black Basta ransomware operations
The Conti cybercrime group was shut down two years ago following a series of data breaches and has since split into multiple factions, one of which is Black Basta.
Black Basta surfaced as a ransomware-as-a-service (RaaS) in April 2022. Since then, its affiliates have hacked into a number of high-profile victims, including German defense contractor Rheinmetall, British technology outsourcing company Capita, Hyundai Motor’s European division, the Toronto Public Library, the American Dental Association, industrial automation company and government contractor ABB, Sobeys, Knauf, and Canada Yellow Pages.
Most recently, Black Basta was linked to a ransomware attack on US healthcare giant Ascension, forcing it to divert ambulances to unaffected facilities.
As revealed by CISA and the FBI in a joint advisory, the Black Basta ransomware affiliate compromised more than 500 organizations between April 2022 and May 2024, encrypting and stealing data from at least 12 of 16 critical infrastructure sectors.
Health-ISAC (Information Sharing and Analysis Center) also stated in the announcement that ransomware gangs “have recently accelerated their attacks against the healthcare industry.”
According to research by cybersecurity firm Elliptic and cyber insurer Corvus Insurance, as of November 2023, Black Basta had collected at least $100 million in ransoms from more than 90 victims.
Article translated from: https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-in-black-basta-ransomware-attacks/ If reproduced, please indicate the original address