Microsoft has published a elaborate floor plan of a autochthonal English-speaking threat character pinch precocious societal engineering capabilities it tracks arsenic Octo Tempest, that targets companies successful information extortion and ransomware attacks.
Octo Tempest’s attacks person steadily evolved since early 2022, expanding their targeting to organizations providing cablegram telecommunications, email, and tech services, and partnering pinch nan ALPHV/BlackCat ransomware group.
From relationship theft to ransomware
The threat character was initially observed trading SIM swaps and stealing accounts of high-profile individuals pinch cryptocurrency assets.
In precocious 2022, Octa Tempest moved to phishing, societal engineering, resetting passwords en-masse for nan customers of breached work providers, and information theft.
Earlier this year, nan threat group attacked companies successful nan gaming, hospitality, retail, manufacturing, technology, and financial sectors, arsenic good arsenic managed work providers (MSPs).
After becoming an ALPHV/BlackCat affiliate, Octa Tempest deployed nan ransomware some to bargain and to encrypt unfortunate data.
The group utilized its accumulated acquisition to build much precocious and fierce attacks and besides started to monetize intrusions by extorting victims aft stealing data.
Microsoft says that Octo Tempest besides utilized nonstop beingness threats successful immoderate cases to get logins that would beforehand their attack.
In an overseas move of events, Octo Tempest became an connection of nan ALPHV/BlackCat ransomware-as-a-service (RaaS) operation, Microsoft says, and by June they started deploying some nan Windows and Linux ransomware payloads, focusing connected VMware ESXi servers lately.
“This is notable successful that, historically, Eastern European ransomware groups refused to do business pinch autochthonal English-speaking criminals” - Microsoft
The much caller attacks from this group target organizations successful a assortment of sectors, including gaming, earthy resources, hospitality, user products, retail, managed work providers, manufacturing, law, technology, and financial services.
Octo Tempest TTPs
Microsoft assesses that Octo Tempest is simply a well-organized group that includes members pinch extended method knowledge and aggregate hand-on-keyboard operators.
The hackers often summation first entree done precocious societal engineering that targets accounts of method administrators (e.g. support and thief table staff) pinch capable permissions to further nan attack.
They investigation nan institution to place nan targets they tin impersonate to nan level of mimicking nan reside patterns of nan individual successful telephone calls.
By doing so, they instrumentality method administrators into performing password resets and reset multi-factor authentication (MFA) methods.
Other methods for first entree include:
- tricking nan target into installing distant monitoring and guidance software
- stealing nan logins done phishing sites
- buying credentials aliases convention tokens from different cybercriminals
- SMS phishing labor pinch links to clone login portals that seizure nan credentials
- SIM-swapping aliases telephone forwarding
- Direct threats of violence
Once they get capable access, Octo Tempest hackers commencement nan reconnaissance shape of nan onslaught by enumerating hosts and services and collecting accusation that would licence abusing morganatic channels to advancement nan intrusion.
“Initial bulk-export of users, groups, and instrumentality accusation is intimately followed by enumerating information and resources readily disposable to nan user’s floor plan wrong virtual desktop infrastructure aliases enterprise-hosted resources” - Microsoft
Octo Tempest past proceeds to research nan infrastructure, enumerating entree and resources crossed unreality environments, codification repositories, server and backup guidance systems.
To escalate privileges, nan threat character again turns to societal engineering, SIM-swapping, aliases telephone forwarding, and initiates a self-service password reset of nan target’s account.
During this step, nan hackers build spot pinch nan unfortunate by utilizing compromised accounts and demonstrating an knowing of nan company’s procedures. If they person a manager’s account, they o.k. requests for accrued permissions themselves.
For arsenic agelong arsenic they person access, Octo Tempest continues to look for further credentials to grow their reach. They usage devices for illustration Jercretz and TruffleHog to automate nan hunt for plaintext keys, secrets, and passwords crossed codification repositories.
To support their tracks hidden, nan hackers besides target nan accounts of information personnel, which allows them to disable information products and features.
“Using compromised accounts, nan threat character leverages EDR and instrumentality guidance technologies to let malicious tooling, deploy RMM software, region aliases impair information products, information theft of delicate files (e.g. files pinch credentials, awesome messaging databases, etc.), and deploy malicious payloads” - Microsoft
According to Microsoft, Octo Tempest tries to hide their beingness connected nan web by suppressing alerts of changes and modifying nan mailbox rules to delete emails that could raise nan victim’s suspicions of a breach.
The researchers supply nan pursuing further devices and techniques that Octo Tempest uses successful their attacks:
- open-source tools: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway, TightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat
- deploying Azure virtual machines to alteration distant entree via RMM installation aliases modification to existing resources via Azure serial console
- adding MFA methods to existing users
- using nan tunneling tool Twingate, which leverages Azure Container instances arsenic a backstage connector (without nationalist web exposure)
The hackers besides move stolen information to their servers utilizing a unsocial technique, which involves Azure Data Factory and automated pipelines to blend successful pinch emblematic large information operations.
To export SharePoint archive libraries and transportation nan files quicker, nan attacker has been often observed to registry morganatic Microsoft 365 backup solutions specified arsenic Veeam, AFI Backup, and CommVault.
Microsoft notes that detecting aliases hunting for this threat character successful an situation is not an easy task owed to nan usage of societal engineering, living-off-the-land techniques, and nan divers tooling.
However, nan researchers supply a group of wide guidelines that could thief observe malicious activity, which starts pinch monitoring and reviewing identity-related processes, Azure environments, and endpoints.
Octo Tempest is financially motivated and achieves its goals done stealing cryptocurrency, information theft extortion, aliases encrypting systems and asking for a ransom.