Black Basta Ransomware Group Affiliates Leveraging Windows Quick Assist for Initial Access
Since April 2024, Arctic Wolf has been tracking an ongoing campaign by Black Basta ransomware group affiliates leveraging Microsoft´s Windows Quick Assist for initial access. The Black Basta affiliates have been conducting vishing (voice phishing) attacks by impersonating IT or help desk personnel, claiming they need to fix an issue on the victim’s device. In other instances, the threat actors leverage an email bomb attack to flood the victim’s mailbox with emails from subscription services. They then call the victim, impersonating IT support, and offer assistance in resolving the issue. In both scenarios, the threat actors persuade the victim to provide access through Quick Assist by entering a security code and granting permissions to control their device.
Once given remote access, the threat actors execute scripts with cURL commands to download batch or ZIP files, delivering malicious payloads such as Qakbot, ScreenConnect, NetSupport Manager, and Cobalt Strike. Establishing persistence with these tools, the threat actors proceed with the attack chain, including domain enumeration, lateral movement, and using PsExec to deploy Black Basta ransomware throughout the environment.
Additional Initial Access Tactic: Microsoft Teams
On June 12, 2024, Microsoft revealed that in late May, Black Basta affiliates were observed using Microsoft Teams to reach target users. The threat actors used Teams to send messages and make calls, pretending to be IT or help desk staff. This tactic results in the misuse of Windows Quick Assist, credential theft through EvilProxy, execution of batch scripts, and deployment of SystemBC for maintaining persistence and controlling compromised systems. Given Microsoft Teams’ widespread adoption in enterprise systems globally, this new attack vector observed in this campaign poses a significant risk to organizations.
Detections for Campaign TTPs
Arctic Wolf has multiple detections in place that identify many of the Tactics, Techniques, and Procedures (TTPs) currently utilized in this campaign by the threat actors. These include detections for email bombing, remote access software, and tools for ingress.
Additionally, Arctic Wolf has agent-based detections in place for relevant tooling across several other TTPs including credential access, discovery, and reconnaissance that have been observed to be associated with Black Basta connected activity in the past.
Customers can expect tickets from the Arctic Wolf SOC for any malicious activity detected surrounding the campaign TTPs.
Recommendations
Recommendation #1: Uninstall Windows Quick Assist and/or Other RMM Tools if Not Utilized in Your Environment
If your organization does not utilize Windows Quick Assist and/or any other remote support tools, Arctic Wolf strongly recommends disable or uninstall them. This prevents external threat actors from exploiting these tools to gain unauthorized access to your devices.
- Disabling Windows Quick Assist
- To disable Windows Quick Assist, block traffic to the https://remoteassistance.support.services.microsoft.comendpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can’t be used to get help or help someone.
- Uninstalling Quick Assist
- Uninstall via powershell – Run the following PowerShell command as Administrator:
- Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist | Remove-AppxPackage -AllUsers
- Uninstall via Windows Settings
- Navigate to Settings > Apps > Installed apps > Quick Assist > select the ellipsis (…), then select Uninstall.
Additionally, consider implementing policies to block the installation and use of Windows Quick Assist and other RMM tools unless they have been explicitly approved for use within your environment. This approach helps ensure that only vetted and secure tools are in operation, further safeguarding your systems.
Recommendation #2: Implement Comprehensive Security Awareness Training
Black Basta affiliates have successfully socially engineered victims through calls and emails during this ongoing campaign. Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities, including observed tech support scams in this campaign.
Arctic Wolf has several vishing modules within our Managed Security Awareness (MSA) product that will help users identify the suspicious activity outlined in this bulletin.
Recommendation #3: Microsoft Teams Attack Vector Safeguards
Microsoft has provided the following mitigations to protect against attacks leveraging Microsoft Teams:
- Educate Microsoft Teams users to check for the ‘External’ tag on communications from external sources, exercise caution in sharing information, and avoid sharing account details or approving sign-in requests via chat.
- Apply Microsoft’s security best practices for Microsoft Teams.