Financially motivated cybercriminals abuse the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims' networks.
Microsoft has been investigating this campaign since at least mid-April 2024, and, as they observed, the threat group started their attacks by email bombing the target after subscribing their addresses to various email subscription services.
Once their mailboxes flood with unsolicited messages, the threat actors call them while impersonating a Microsoft technical support or the attacked company's IT or help desk staff to help remediate the spam issues.
During this voice phishing attack, the attackers trick the victims into granting them access to their Windows devices by launching the Quick Assist built-in remote control and screen-sharing tool.
After installing their malicious tools and concluding the phone call, Storm-1811 performs domain enumeration, moves laterally through the victim's network, and deploys Black Basta ransomware using the Windows PsExec telnet-replacement tool.
To block these social engineering attacks, Microsoft advises network defenders to block or uninstall Quick Assist and similar remote monitoring and management tools if they're not used and to train employees to recognize tech support scams.
Those targeted in these attacks should only allow others to connect to their device if they contacted their IT support personnel or Microsoft Support and immediately disconnect any Quick Assist sessions if they suspect malicious intent.
After the Conti cybercrime group shut down two years ago following a series of embarrassing data breaches, it broke up into multiple factions, one of which is believed to be Black Basta.
Black Basta surfaced as a Ransomware-as-a-Service operation in April 2022.
Its affiliates have breached many high-profile victims, including German defense contractor Rheinmetall, U.K. technology outsourcing company Capita, Hyundai's European division, the Toronto Public Library, the American Dental Association, industrial automation company and government contractor ABB, Sobeys, Knauf, and Yellow Pages Canada.
More recently, Black Basta was linked to a ransomware attack that hit U.S. healthcare giant Ascension, forcing it to divert ambulances to unaffected facilities.
According to cybersecurity company Elliptic and cyber insurance firm Corvus Insurance research, Black Basta has collected at least $100 million in ransom payments from over 90 victims until November 2023.
CISA: Black Basta ransomware breached over 500 orgs worldwide.
Singing River Health System: Data of 895,000 stolen in ransomware attack.
Windows 10 KB5037768 update released with new features and 20 fixes.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 15 May 2024 17:10:07 +0000