Storm-1811 is a sophisticated and financially motivated cybercriminal group known for its advanced techniques and targeted attacks, including the deployment of Black Basta ransomware. This group has been active since early 2018 and has become notorious for its stealthy infiltration and data exfiltration capabilities. The importance of understanding Storm-1811 lies in its ability to cause significant financial and reputational damage to organizations through its cyber attacks.

The research involved reviewing multiple sources to gather comprehensive information about Storm-1811's tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IoCs) and mitigation strategies. The findings reveal that Storm-1811 employs a variety of social engineering techniques, including tech support scams and vishing, to gain initial access to target systems. Once inside, they use tools like Quick Assist, Qakbot, Cobalt Strike, and various remote monitoring and management (RMM) tools to move laterally within networks and deploy ransomware.

Assessment Rating

Rating: HIGH

The assessment rating for Storm-1811 is HIGH due to the significant potential threat to life or property, the imminent nature of their attacks, and the confirmed impact on multiple sectors, including critical infrastructure. Storm-1811's ability to blend into the digital landscape undetected and their use of sophisticated tools and techniques make them a formidable adversary.

Findings

1. Advanced Social Engineering Techniques: Storm-1811 uses tech support scams and vishing to trick users into granting them access to their systems. They impersonate IT or help desk personnel and use tools like Quick Assist to gain control over target devices.
2. Deployment of Black Basta Ransomware: Once inside the network, Storm-1811 deploys Black Basta ransomware, which encrypts and exfiltrates data, leading to significant financial and reputational damage.
3. Use of Remote Monitoring and Management Tools: Storm-1811 utilizes RMM tools like ScreenConnect and NetSupport Manager to maintain persistence and conduct lateral movement within compromised environments.
4. Credential Theft and Lateral Movement: The group uses tools like Qakbot and Cobalt Strike to steal credentials, perform domain enumeration, and move laterally within networks.
5. Command and Control Infrastructure: Storm-1811 uses various command and control (C2) domains and IP addresses to communicate with compromised systems and deploy additional malware.

Indicators of Compromise

1. Domains:

   • upd7a[.]com
   • upd7[.]com
   • upd9[.]com
   • upd5[.]pro
   • antispam3[.]com
   • antispam2[.]com
   • instance-olqdnn-relay.screenconnect[.]com
   • greekpool[.]com
   • zziveastnews[.]com
   • realsepnews[.]com

2. SHA-256 Hashes:

   • 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
   • 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
   • 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
   • 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
   • 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

Recommendations, Actions and Next Steps

1. Block or Uninstall Quick Assist: Organizations should consider blocking or uninstalling Quick Assist and other unnecessary remote monitoring and management tools to prevent misuse by threat actors.
2. User Education and Awareness: Educate users about recognizing and avoiding tech support scams, phishing attempts, and other social engineering tactics. Regular training sessions and awareness programs can significantly reduce the risk of successful attacks.
3. Implement Advanced Anti-Phishing Solutions: Deploy advanced anti-phishing solutions that monitor incoming emails and visited websites to detect and block phishing attempts.
4. Enable Cloud-Delivered Protection: Turn on cloud-delivered protection in antivirus solutions to cover rapidly evolving attacker tools and techniques. This helps in blocking new and unknown variants of malware.
5. Network Protection: Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
6. Tamper Protection: Turn on tamper protection features to prevent attackers from stopping security services.
7. Automated Investigation and Remediation: Enable automated investigation and remediation features in endpoint protection solutions to allow immediate action on alerts and resolve breaches quickly.
8. Conditional Access Policies: Implement conditional access policies to require phishing-resistant authentication for critical applications and services.
9. Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate vulnerabilities in the network and systems.
10. Incident Response Plan: Develop and maintain a robust incident response plan to quickly respond to and mitigate the impact of cyber attacks.

References and Citations

1. Orpheus Cyber - Storm-1811: A Deep Dive into a Notorious Threat Actor
2. Field Effect - Storm-1811 using tech support scam to deploy Black Basta ransomware
3. Microsoft Security Blog - Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

APPENDIX

Mitre ATTACK TTPs

1. T1193 - Spear Phishing Attachment
2. T1078 - Valid Accounts
3. T1566 - Phishing
4. T1059 - Command and Scripting Interpreter
5. T1071 - Application Layer Protocol
6. T1105 - Ingress Tool Transfer
7. T1219 - Remote Access Software
8. T1486 - Data Encrypted for Impact

Mitre ATTACK Mitigations

1. M1021 - Restrict Web-Based Content
2. M1054 - Software Configuration
3. M1017 - User Training
4. M1030 - Network Segmentation
5. M1049 - Antivirus/Antimalware
6. M1050 - Exploit Protection
7. M1053 - Data Backup
8. M1057 - Privileged Account Management

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst. We just did the grunt work..

Join the the waiting list.

(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0