Hackers exploiting Quick Assist in Black Basta ransomware assaults, a caution issued by Microsoft
In a recent report, Microsoft has linked the Black Basta ransomware group to activities that exploit Microsoft Quick Assist, a remote-assistance tool, as an initial access vector. The hackers have been using social engineering techniques, such as voice phishing (vishing) and impersonating IT support personnel, to trick users into granting access to their computer systems.
Once they gain access, the hackers use Quick Assist to download ZIP or batch files containing malicious payloads, including remote-management tools or malware. In some cases, they have also deployed malware like Cobalt Strike or Qakbot before launching the Black Basta ransomware.
The attacks have been observed in corporate environments, although the extent of their impact on critical infrastructure and healthcare sectors is not explicitly detailed in public intelligence. However, the tactics employed, such as careful targeting, social engineering through trusted corporate communication platforms, and deployment of sophisticated modular malware chains, are consistent with methods used to infiltrate high-value enterprise networks, including those in critical infrastructure and healthcare.
The disclosure of these attacks came less than a week after the FBI and Cybersecurity and Infrastructure Security Agency warned about Black Basta ransomware being deployed in hundreds of attacks against critical infrastructure and healthcare worldwide.
It's important to note that the Microsoft report does not provide specific details about the exploited vulnerabilities in VMware ESXi, and it does not mention the deployment of Qakbot in these specific cases. However, Trend Micro researchers have observed Black Basta affiliates exploiting a critical flaw in ScreenConnect, specifically an authentication bypass vulnerability listed as CVE-2024-1709.
Rapid7 researchers have also noted similar activities but have not seen the deployment of Qakbot in these specific cases.
Given the potential severity of ransomware attacks in critical infrastructure and healthcare, it's crucial for stakeholders to understand the risk calculus of their technology stacks. The question on many minds is: Are we a target?
To mitigate this threat, continued vigilance, employee training on social engineering, and tightening remote access controls are essential. Organizations in critical infrastructure and healthcare should prioritize these measures to protect their networks from these sophisticated attacks.
[1] Microsoft Threat Intelligence Centre [2] Trend Micro [3] Rapid7 [4] CyberScoop [5] ZDNet
- The cybersecurity community should be alert to the use of voice phishing (vishing) and social engineering techniques by the Black Basta ransomware group, as they exploit Microsoft Quick Assist for initial access and download malware like Cobalt Strike or Qakbot.
- It's essential for organizations in critical infrastructure and healthcare to prioritize employee training on social engineering, tighten remote access controls, and implement vigilance to protect their networks from such sophisticated attacks.
- Despite the recent report by Microsoft, it's important to acknowledge the ongoing concerns about Black Basta ransomware activities, as the FBI and CISA have warned about hundreds of attacks targeting critical infrastructure and healthcare worldwide.
- In the general-news sector, reports from Microsoft Threat Intelligence Centre, Trend Micro, and Rapid7 reveal the use of hidden vulnerabilities in various technologies, like an authentication bypass vulnerability in ScreenConnect (CVE-2024-1709), by Black Basta affiliates for their attacks.
- The recent cybersecurity incidents highlighting the use of ransomware, malware, and social engineering techniques underscore the importance of incident response plans and the role they play in crime-and-justice discussions, especially when critical infrastructure and healthcare are involved.
