Netskope Threat Coverage: Microsoft Quick Assist Ransomware Attacks

Introduction

Microsoft has recently highlighted the abuse of the remote support tool Quick Assist in sophisticated social engineering attacks leading to ransomware infections. This blog post summarizes the threat and recommends a mitigation strategy for Netskope customers.

Attack Chain

An unknown adversary group is exploiting Quick Assist in targeted social engineering campaigns. These attacks typically begin with vishing (voice phishing) to impersonate trusted entities, such as technical support or IT personnel, to trick victims into granting remote access to their devices. Microsoft is currently referring to this unknown adversary group as Storm-1811. The Storm-#### naming scheme is one that Microsoft uses as a temporary name for unknown, emerging threats and groups in development.

Once they obtain access via Quick Assist, the attackers deploy various malicious tools and malware. The attack chain includes the following key stages:

1. Impersonation and Vishing: Attackers impersonate IT support, contacting targets via phone and convincing them to use Quick Assist for troubleshooting.
2. Remote Access: The victim initiates a Quick Assist session, granting the attacker access.
3. Execution of Malicious Commands: Attackers run scripted commands to download and execute malicious payloads.
4. Tool Deployment: The attackers use tools like ScreenConnect and NetSupport Manager to facilitate remote control and Qakbot and Cobalt Strike to deploy additional payloads.
5. Ransomware Deployment: The attackers use PsExec to deploy the Black Basta ransomware across the network.

Recommendations

Netskope Threat Labs recommends disabling Quick Assist if you are not actively using it. Netskope SWG customers can disable Quick Assist by configuring a rule to block traffic to remoteassistance.support.services.microsoft.com. For organizations with a legitimate use for Quick Assist, Netskope customers can leverage real-time user coaching to train users who access Quick Assist to recognize social engineering tactics. The following screenshot provides an example of such a message. 

Conclusion

The abuse of Quick Assist in ransomware attacks underscores the importance of locking down channels for remote access into your systems. Netskope Threat Labs recommends disabling Quick Assist if you are not actively using it and leveraging real-time user coaching in organizations using Quick Assist.