Storm-1811, a financially driven threat actor that employs social engineering techniques, has recently been observed exploiting RMM tools to distribute the Black Basta ransomware.
The threat actor exploits the client management tool, Microsoft Quick Assist, with the intention of delivering Black Basta ransomware as the ultimate payload over the network.
Quick Assist is an application that allows a user to remotely connect to another person and share their Windows or macOS device.
This allows the connecting user to view the device’s display, make annotations, or take complete control—usually for troubleshooting—by remotely connecting to the receiving user’s device.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
How Storm-1811 Works?
Red Canary reports the recently detected activity started with email bombing to fill a victim’s inbox with emails that are spam.
Subsequently, the adversary posing as an IT administrator offers to assist with the email issue by calling the user or sending them a link to join a Microsoft Teams call.
After making contact, the adversary instructed the user to download and start AnyDesk or TeamViewer or to launch Microsoft Quick Assist to grant remote access. Lateral movement, reconnaissance, and the creation of an SSH tunnel backdoor were all part of the attack.
Black Basta was initially discovered in April 2022 and is known as a ransomware-as-a-service (RaaS) variant. Affiliates of Black Basta have had an impact on important infrastructure and a variety of industries in Australia, Europe, and North America.
According to CISA’s recent advisory, more than 500 organizations around the world have been influenced by Black Basta affiliates as of May 2024.
Affiliates of Black Basta deploy a double-extortion strategy, encrypting systems and exfiltrating data after using typical initial access techniques, like phishing, and taking advantage of known weaknesses.
Mitigations
- Install detection and response sensors across systems.
- Endpoints that are not monitored are an attacker’s playground; visibility restricts the freedom of the adversary.
- Keep track of permitted tools and block or restrict unauthorized RMM tools.
- Legitimate tools can be exploited, so be aware of your environment.
- To secure Microsoft Teams, prohibit external access by default, allow trusted partner domains, and limit file-sharing capabilities to prevent unauthorized tools.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar