Knowledge base

May 20, 2024

Microsoft warns of Quick Assist abuse

In a recent blog post, Microsoft warns of a new threat in which criminals abuse Quick Assist to install ransomware. The criminal group Storm-1811 uses social engineering techniques to spread the dreaded Black Basta ransomware via Quick Assist.

How does the attack work? ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Criminals call victims and pretend to be legitimate individuals, a technique known as vishing. Here is a step-by-step overview of their methods:

  • ๐Ÿ“ž Phone contact: The criminals call the victim and pretend to be a trusted source.
  • ๐Ÿ–ฅ๏ธ Start Quick Assist: They ask the victim to start Quick Assist, such as by pressing the key combination CTRL + Windows + Q.
  • ๐Ÿ”’ Enter security code: The victim is prompted to enter the security code provided by the attacker.
  • ๐Ÿ’ป Malicious software installation: Scripts are then used to install rogue software, such as the Black Basta ransomware, on the computer.

Microsoftโ€™s Recommendations ๐Ÿ”

Microsoft has some key recommendations to mitigate this threat:

  • โŒ Disable Quick Assist: Consider disabling Quick Assist if it is not necessary.
  • ๐Ÿ›ก๏ธ Use Remote Help: Consider using Remote Help, a paid alternative that limits assistance to devices within your own organization/tenant.
  • ๐Ÿ“š A wareness and training: Ensure employees are aware of this threat and know how to recognize and report suspicious activity.

Why is Quick Assist so risky? โš ๏ธ

Quick Assist, a tool installed by default on Windows 10 and 11, can be easily launched with the key combination CTRL + Windows + Q. This makes it an attractive target for attackers because:

  • ๐Ÿ‘จโ€๐Ÿ’ป Less suspicion: The tool is already present and known to many users, which creates less distrust.
  • ๐Ÿš€ Easy access: The combination of standard installation and easy access makes it a convenient tool for malicious people.

How can you protect yourself?

  • ๐Ÿ“ž Be careful of unsolicited calls: Donโ€™t simply trust phone calls or messages asking for access to your computer.
  • ๐Ÿ”’ Verify the source: Always verify the identity of the person offering help, especially if sensitive information is involved.
  • ๐Ÿ”„ Update regularly: Make sure your Windows and all software are up-to-date with the latest security updates.
  • ๐Ÿ›ก๏ธ Use security software: Install and use reliable antivirus and anti-malware programs.

What to do in case of suspicious activity?

  • ๐Ÿ“ง Report it immediately: Contact your IT department or Microsoftโ€™s official support channels.
  • ๐Ÿ’ป Disconnect your device: If you suspect your system has been compromised, disconnect the Internet connection immediately.
  • ๐Ÿงฉ Run a full scan: Have your security software run a comprehensive scan to detect and remove any threats.

Other Tools and Their Risks ๐Ÿ› ๏ธ

Although this article deals specifically with Quick Assist, there are other tools such as AnyDesk and TeamViewer that can be used for similar attacks. The difference, however, is that these tools are not installed by default on Windows devices, so they may be less likely to be trusted by victims.

Conclusion ๐Ÿ“

It is crucial to remain vigilant to this new form of attack and take the necessary steps to protect your organization. By creating awareness and implementing security measures, you can significantly reduce risks.

Want to know more?

Get in touch
Quick Assist