17 May 2024

5 min read

Black Basta exploits Microsoft's Windows Quick Assist | Cyber Intelligence Briefing: 17 May

May 2024
Cyber Intelligence Briefing


Top news stories this week

  1. Unauthorised access. Black Basta uses Windows Quick Assist in ransomware attacks, Microsoft warns.  
  2. Crackdown. FBI seizes BreachForums marketplace and plans to charge Scattered Spider ransomware group.
  3. You’ve got mail. New phishing campaign uses botnet to send millions of emails containing ransomware.
  4. Leaked. Santander reports data breach impacting staff and customers in Spain, Chile, and Uruguay.
  5. Piggy bank. Online fraud cartels in Southeast Asia make USD 64 billion annually.
  6. A stitch in time. Microsoft and Google patch multiple vulnerabilities this week. 

zywave_emailer copy-1


1. Black Basta uses Windows Quick Assist in ransomware attacks, Microsoft warns 

Microsoft has warned that the ransomware gang Black Basta is using voice phishing to trick victims into using Windows Quick Assist, a feature that allows remote technical support to gain unauthorised access to Windows devices. Black Basta instigates the attack by sending a large volume of spam emails to victims. Following this, the group impersonates Microsoft technical staff in a call to the victims, persuading them to use Quick Assist to resolve the spam issue.

So What?

Threat actors often employ novel techniques, including social engineering attacks, to launch ransomware attacks. Employees should be trained not to grant remote access to unknown or unsolicited callers.

[Researcher: Waithera Junghae] 

2. Notorious BreachForums hacking forum seized

The FBI has seized BreachForums, a notorious marketplace used by cyber criminals to trade and leak stolen data, hacking tools, and other cybercrime services. The FBI’s seizure message on the marketplace indicates the site’s two administrators have been arrested.

Separately, a senior FBI official has announced plans to charge the Scattered Spider ransomware group widely known for their attack on MGM Resorts in 2023.

So what?

The disruption of notorious groups and marketplaces through law enforcement takedowns marks a positive development in the ongoing effort to curb the activities of threat groups.

[Researcher: Aditya Ganjam Mahesh]

3. Hackers use botnet to expand the distribution of LockBit Black ransomware 

The Phorpiex botnet is being used in a grand-scale phishing campaign, to send emails containing a strain of LockBit Black ransomware. The botnet is distributing a malicious ZIP attachment which, when opened, begins the encryption of files on the victim’s systems.

While some researchers claim the ransom notes appear unrelated to LockBit ransomware, S-RM has observed identical cases where the ransom note instructs the victim to negotiate on LockBit's official sites. This indicates the group is highly likely to be involved in the campaign.

So what?

Phishing is still a delivery mechanism for ransomware attacks. It is crucial to promote user awareness and training to ensure employees can identify and report phishing attempts.

[Researcher: Adelaide Parker]

4. Customers and staff affected in Santander database breach

Spanish bank Santander has reported unauthorised access to a third-party hosted database that contained information relating to customers in Chile, Spain, and Uruguay, as well as current and former employees. The bank released a statement assuring that no transaction or banking credential data was in the database and customers can continue to make transactions securely.

So what?

Encrypt data at rest to protect sensitive assets by ensuring only authorised parties have access.

[Researcher: Amy Gregan]

5. Southeast Asia fraud syndicates generate USD 64 billion through ‘pig butchering’ scams

Online fraud groups in Southeast Asia are reportedly generating USD 64 billion annually, according to new research. The groups contact potential victims on dating apps to establish a relationship in a scam known as ‘pig butchering’. The victims are then tricked into paying these groups, often under the guise of an investment.

So what?

Scammers often use unsolicited communications to catch people off guard. Individuals should always verify the legitimacy of offers, requests, or claims before taking action.

[Researcher: Jon Seland]

6. Microsoft and Google patch zero-day vulnerabilities

Microsoft has patched 61 new vulnerabilities in its software as part of its Patch Tuesday, including two zero-day vulnerabilities that are actively being exploited in the wild. Separately, Google has announced in an emergency Chrome security update that the third zero-day vulnerability has been fixed this week. These vulnerabilities allow attackers to execute arbitrary code on targeted devices.

So what?

Organisations should ensure critical patches for software vulnerabilities are assessed and applied as quickly as possible. 

[Researcher: Lena Krummeich]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.