Dive Brief:
- Microsoft researchers warn that a financially-motivated hacker has misused the company’s Quick Assist client management tool since mid-April in social-engineering attacks, ultimately leading to the deployment of Black Basta ransomware, according to a blog post released Wednesday. With Quick Assist, users can remotely connect Windows or macOS with another person.
- The attacks began using voice phishing, also known as vishing, and led to malicious use of remote-monitoring tools like ScreenConnect or NetSupport Manager, according to Microsoft. The hackers also deployed malware, including Cobalt Strike or Qakbot, before launching the Black Basta ransomware.
- The disclosure came less than a week after the FBI and Cybersecurity and Infrastructure Security Agency warned about Black Basta ransomware being deployed in hundreds of attacks against critical infrastructure and healthcare worldwide.
Dive Insight:
Threat groups use vishing as a social-engineering technique to trick users into granting access to their computer systems. In some cases hackers impersonate IT or help desk personnel, while in other cases a threat actor uses an email bombing attack to overwhelm an email address with spam. The hacker then requests access to that user’s system under the pretense of fixing the problem.
After the hackers are given permission to access the system, they use Quick Assist to access the device and then download ZIP or batch files to deliver malicious payloads, including remote-management tools or malware.
Remote-access tools were the leading intrusion point for ransomware attacks in 2023, according to researchers at At-Bay.
ScreenConnect, a remote access and support tool from ConnectWise, allows a threat actor to gain persistence and move laterally, while NetSupport Manager can maintain control over compromised systems, according to the blog.
Trend Micro researchers previously observed Black Basta affiliates exploiting critical flaws in ScreenConnect, including an authentication bypass vulnerability, listed as CVE-2024-1709, before deploying Cobalt Strike.
Robert Knapp, senior manager, incident response services at Rapid7, said the Microsoft report notes similar activity to what Rapid7 researchers observed, but goes one step further to link the activity to a specific threat actor. However, Rapid7 has not seen the deployment of Qakbot in these specific cases.
Black Basta affiliates have often used Qakbot to gain access before deploying the ransomware, according to Microsoft.
Black Basta has also exploited vulnerabilities in VMware ESXi running on enterprise servers, according to Jon Miller, co-founder and CEO of Halcyon.