A new report from Microsoft Incident Response and Microsoft Menace Intelligence groups uncovered the actions and fixed evolution of a financially oriented menace actor named Octo Tempest, who deploys superior social engineering strategies to focus on firms, steal information and run ransomware campaigns.

Leap to:

Octo Tempest’s ways, strategies and procedures

The menace actor deploys a wide range of ways, strategies and procedures to conduct its operations efficiently.

Preliminary entry

Octo Tempest generally leverages social engineering assaults focusing on individuals inside firms who’ve entry to extra information than the typical person, akin to technical directors, assist or assist desks. The group has been noticed impersonating new workers in these assaults to mix into on-hire processes, in response to Microsoft.

Utilizing its social engineering expertise, the group would possibly name workers and trick them into putting in a distant monitoring and administration instrument or browse a phishing website containing an Adversary within the Center toolkit to bypass two-factor authentication and take away their FIDO2 token.

The group may also use smishing, sending SMS containing a phishing hyperlink to workers resulting in a faux login web page with an AitM toolkit, or provoke a SIM swap assault on workers’ telephone numbers, to have the ability to reset their password as soon as they’re in charge of the telephone quantity.

As well as, Octo Tempest purchases legitimate credentials and session cookies for firms instantly on cybercriminals’ underground marketplaces.

In uncommon cases, the group has used very aggressive bodily threats to workers by telephone name and SMS, utilizing their private info akin to their residence tackle or member of the family names, the objective being to get the victims’ credentials for company entry.

Reconnaissance and discovery

As soon as a system is accessed, Octo Tempest runs varied enumeration and knowledge gathering actions. This information will allow the menace actor to know the group higher, export an inventory of customers and teams, accumulate gadget info, and facilitate additional compromise and attainable abuse of reputable channels for different malicious actions.

And, Octo Tempest tries to gather paperwork associated to community structure, distant entry strategies, password insurance policies, credential vaults and worker onboarding.

The group explores the entire inner setting of the focused group, validates entry, and enumerates databases and storage containers. They’ve been noticed utilizing PingCastle and ADRecon to carry out reconnaissance of the Lively Listing, Govmomi to enumerate vCenter APIs, the Pure Storage FlashArray PowerShell module to enumerate storage arrays and Superior IP Scanner to probe inner networks.

Extra credentials and privileges

To raise its privileges inside the company setting, Octo Tempest would possibly name the assistance desk and social engineer the individual answering the decision into believing they’re speaking to an administrator who must reset their password, or change their MFA token or add one other one which the attacker owns.

In some circumstances, the group bypassed password reset procedures through the use of a compromised supervisor’s account to approve requests.

The menace actor always tries to gather extra credentials and makes use of open-source instruments akin to TruffleHog to facilitate the identification of plaintext keys and secrets and techniques or credentials inside code repositories. Octo Tempest makes use of credential dumpers akin to Mimikatz or LaZagne.

Protection evasion

Octo Tempest accesses IT employees accounts to show off safety merchandise and options to keep away from being detected. The menace actor leverages endpoint detection and response and gadget administration applied sciences to permit the usage of malicious instruments, deploy further software program or steal information.

Whereas a number of menace actors disable safety measures on a compromised system, Octo Tempest pushes it one step additional by modifying the safety employees mailbox guidelines to mechanically delete emails from safety distributors which may alert the employees.

Who’s Octo Tempest?

Octo Tempest is a financially oriented menace actor whose members are native English-speakers. The group additionally goes by the names of 0ktapus, Scattered Spider, Scatter Swine and UNC3944.

The menace actor was initially noticed in 2022, focusing on cell telecommunication firms and enterprise course of outsourcing organizations to provoke SIM swaps, which they monetized by promoting it to different criminals and performing cryptocurrency theft on prosperous people.

Since then, Octo Tempest has always advanced (Determine A) and aggressively elevated its actions to focus on cable telcos, e-mail and know-how organizations. The menace actor launched extortion operations on information stolen throughout the compromise of these firms.

Determine A

The group additionally ran massive phishing campaigns focusing on Okta id credentials, which they used for subsequent provide chain assaults. Profitable assaults on Twilio and Mailchimp, for instance, may be attributed to the group.

Octo Tempest then grew to become an affiliate of the ALPHV/BlackCat ransomware, a shocking transfer figuring out that Jap European ransomware teams usually refuse English-speaking associates. The group focused a wider vary of firms, together with hospitality, client merchandise, retail, manufacturing, gaming, pure assets, legislation, tech and monetary companies.

Microsoft famous the group is extremely expert: “In current campaigns, we noticed Octo Tempest leverage a various array of TTPs to navigate complicated hybrid environments, exfiltrate delicate information, and encrypt information. Octo Tempest leverages tradecraft that many organizations don’t have of their typical menace fashions, akin to SMS phishing, SIM swapping, and superior social engineering strategies.”

Find out how to shield from the Octo Tempest menace actor

Roger Grimes, data-driven protection evangelist at KnowBe4, commented in a press release TechRepublic obtained through e-mail:

“These are examples of extremely subtle assaults throughout the spectrum of attainable assaults and motives. Each group should create its greatest defense-in-depth cyber protection plan utilizing one of the best mixture of insurance policies, technical defenses, and training, to greatest mitigate the danger of those assaults. The strategies and class of those assaults have to be shared to workers. They want a lot of examples. Workers want to have the ability to acknowledge the varied cyber assault strategies and be taught how you can acknowledge, mitigate, and appropriately report them. We all know that fifty% to 90% contain social engineering and 20% to 40% contain unpatched software program and firmware, so no matter a corporation can do to greatest battle these two assault strategies is the place they need to seemingly begin.”

Microsoft supplied an intensive record of suggestions, which embody:

• Id administration must be rigorously monitored, with any change being analyzed intently; particularly, administrative modifications have to be checked.
• EDR modifications, particularly new exclusions, have to be rigorously examined. Current installations of distant administration instruments have to be scrutinized.
• Phishing-resistant multifactor authentication akin to FIDO2 safety keys must be deployed for directors and all privileged customers.
• Each worker must be educated about cybersecurity, particularly on phishing strategies and social engineering, regularly with totally different safety consciousness campaigns.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.