Security researchers have recently discovered Storm-1811, a cybercriminal group focused on financial gain, utilizing Quick Assist, a client management tool, in their social engineering attacks. This revelation comes from a technical blog post released by Microsoft on Wednesday, shedding light on the group’s tactics involving voice phishing (vishing) since mid-April 2024, as they use impersonation to infiltrate target devices.
The exploitation of Quick Assist, which was originally intended for remote troubleshooting, has given these malicious actors the ability to connect with unsuspecting users, ultimately leading to the deployment of harmful tools and ransomware. Storm-1811 has specifically been taking advantage of this tool by pretending to be trustworthy sources such as Microsoft support or IT professionals, tricking individuals into granting access to their devices.
Microsoft has highlighted this manipulation as part of a broader pattern of tech support scams that are prevalent in the cybersecurity realm, where scammers exploit the trust of users for their own gains. In response to these alarming threats, Microsoft is actively looking into the misuse of Quick Assist and working on implementing measures to increase transparency and trust within the application.
Recommendations provided by Microsoft include educating users on how to identify and report tech support scams, as well as advising to block or uninstall remote management tools like Quick Assist when not actively in use. However, the default installation of Quick Assist on Windows 11 devices poses an inherent risk, necessitating heightened awareness and caution among both individual users and organizations.
Social engineering tactics, such as vishing attacks, have played a significant role in these exploits, with threat actors utilizing a variety of methods to deceive users and gain access to their devices. Once access is granted, malicious payloads like Qakbot, Cobalt Strike, and remote monitoring and management (RMM) tools such as ScreenConnect and NetSupport Manager are unleashed, leading to the deployment of Black Basta ransomware.
By increasing awareness and implementing the suggested mitigations, organizations can strengthen their defenses and reduce the risk posed by threat actors exploiting tools like Quick Assist. It is crucial for users to stay vigilant and promptly report any suspicious activities to prevent falling victim to these sophisticated social engineering attacks.