Key Takeaways:
- Cybercriminals are abusing Microsoft’s Quick Assist app to perform social engineering attacks, tricking users into granting remote access to their computers.
- The financially motivated threat actor, Storm-1811, has been using this method to spread Black Basta ransomware since April 2024.
- Microsoft advises administrators to uninstall or block Quick Assist if not in use and implement privilege access management solutions.
Microsoft has warned customers about a new wave of social engineering attacks where cybercriminals exploit its Quick Assist app. The company acknowledged that a financially motivated threat actor (tracked as Storm-1811) has been deploying Black Basta ransomware since mid-April, posing a significant threat to users.
Quick Assist is a remote assistance tool that helps to connect two PCs over the Internet. It allows IT support teams to remotely view and control another user’s computer to diagnose and fix technical issues. The Quick Assist app is installed by default on Windows 11, and it encrypts the connection between the two computers to maintain data privacy.
In a new threat intelligence report, Microsoft revealed that hackers are leveraging social engineering campaigns to trick victims into granting access to their computers via Quick Assist. The attackers pose as IT support to bombard targets with spam emails and flood their inboxes with subscribed content. They then use voice phishing (vishing) to convince victims to address the spam issue.
“During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor,” the Microsoft Threat Intelligence team explained. “After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting Allow shares the user’s screen with the actor.”
Additionally, Microsoft observed that Storm-1811 is deploying various malware to escalate privileges and maintain control over compromised devices. This includes remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, as well as malicious payloads such as Qakbot and Cobalt Strike.
Microsoft advises administrators to uninstall or block Quick Assist and other management tools if they are not in use within their organizations. They also recommend implementing privilege access management solutions to prevent unauthorized access to sensitive information.
Additionally, Microsoft urges organizations to enable cloud-delivered protection, tamper protection, and network protection as well as invest in advanced anti-phishing solutions. IT admins should also conduct employee training sessions to educate staff about tech support scams and social engineering attacks.