Storm-1811 Hacks RMM Tools to Spread Black Basta Ransomware

Microsoft’s Storm-1811 threat actors are actively targeting multiple organizations by employing social engineering tactics, posing as IT support personnel, to gain unauthorized access to systems via Microsoft Quick Assist. 

After they have gained access, they will then deploy the ransomware known as Black Basta, which could result in a significant loss of data and can disrupt operations. 

In order to reduce the risks that are associated with this threat, there is an absolute necessity for prompt detection and response. A recent cyberattack was carried out by the Storm-1811 group, which was responsible for flooding the inboxes of victims with spam emails. 

Subsequently, the perpetrators of the attack, concealing themselves as IT administrators, made contact with victims through the use of Microsoft Teams or the telephone in order to offer assistance with the email problem. 

Working of Storm-1811

In order for adversaries to gain initial access to target systems, this social engineering strategy, which is also known as email bombing, is a common precursor to more sophisticated attacks.

Following the initial contact that was made, the adversary used tools such as Microsoft Quick Assist, AnyDesk, or TeamViewer to coerce the user into granting remote access. 

The attacker was able to carry out reconnaissance, move laterally within the network, and ultimately establish a persistent backdoor by utilizing an SSH tunnel since they had gained unauthorized access to the system.

Red Canary suggests increasing endpoint visibility and expanding the deployment of detection and response sensors across all systems in order to reduce the risk of potential threats. 

Increased visibility restricts the attackers’ freedom of movement, while unmonitored endpoints provide an ideal environment for hackers to launch attacks.

To ensure secure remote management and mitigate potential risks, organizations should maintain a rigorously approved RMM tool list, while strict monitoring and prompt denial of unauthorized tools are essential to prevent unauthorized access and potential exploitation. 

There is a possibility that even legitimate tools could be compromised, which highlights the significance of being aware of the presence of the tools in the environment. 

Microsoft Teams usage should be secured by defaulting to disabling external access and carefully allowing trusted partner domains, while limiting file-sharing capabilities helps reduce the risk of unauthorized tool infiltration.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here