July Update: Protect Your Business from Storm -1811 Cyber Threats
At the end of May 2024, Microsoft Threat Intelligence observed a significant development: the threat actor group Storm-1811 began using Microsoft Teams as a vector to contact target users. This group is known for its sophisticated social engineering attacks, where they impersonate IT or help desk personnel to gain access to systems and deploy malicious software, including ransomware. This activity involves the misuse of Quick Assist, a legitimate remote support tool, leading to credential theft and persistence using tools like EvilProxy and SystemBC.
The Threat Landscape
Since mid-April 2024, Storm-1811 has been actively misusing Quick Assist in social engineering attacks. This group, financially motivated and associated with the deployment of Black Basta ransomware, begins its attacks by impersonating trusted IT personnel through voice phishing (vishing). They deliver malicious tools such as remote monitoring and management (RMM) tools, Qakbot, Cobalt Strike, and ultimately, Black Basta ransomware.
Mitigating This Threat
Understanding Quick Assist
Quick Assist allows a user to share their Windows or macOS device with another person over a remote connection. Threat actors exploit this feature by impersonating trusted contacts to gain initial access to a target device.
Recommendations for Protection
Microsoft’s Recommendations:
- Block or Uninstall Quick Assist: If your organisation doesn’t use Quick Assist, consider blocking or uninstalling it to reduce risk.
- Educate Users: Inform users about the dangers of tech support scams and how to recognise them. Only allow access to your device through Quick Assist if you initiated the interaction by contacting official support channels.
- Report Scams: Disconnect from any suspicious Quick Assist sessions immediately and report them to authorities or your IT department.
- Security Best Practices: Apply security best practices for Microsoft Teams and other tools to safeguard against malicious activities
To assist you further, Kloudify Technologies offers the following support:
- Free Advice on Avoiding Phishing Emails: Learn how to recognise and avoid phishing attempts that could compromise your security.
- Free Cybersecurity Assessment: Identify and mitigate vulnerabilities within your systems.
- Implement Defender for Endpoint: We can assess your environment and support with implementing defender for endpoint.
The Role of Social Engineering
One technique used by threat actors involves phishing attacks, where they impersonate IT support personnel to gain trust and access. They may flood a target’s email with subscriptions (link listing attacks) and then call to offer fraudulent support.
Recent Observations
In May 2024, Storm-1811 began using Microsoft Teams to send messages and initiate calls, impersonating help desk personnel. Microsoft has taken steps to mitigate this by suspending identified malicious accounts and tenants.
During these attacks, the threat actor persuades users to grant access via Quick Assist, leading to the execution of malicious scripts and tools like Qakbot and Cobalt Strike, and eventually deploying Black Basta ransomware.
Our Commitment
At Kloudify Technologies, we are dedicated to supporting our customers through IT security challenges. If you require additional assistance or have any concerns, please do not hesitate to reach out to us. Our team is available around the clock to provide the necessary support and advice.