Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit

Trending 1 month ago

Microsoft's latest study connected "one of nan astir vulnerable financial criminal groups" operating offers information pros an abundance of threat intelligence to protect themselves from its myriad tactics.

The "unique" autochthonal English-speaking group is tracked by Microsoft arsenic Octo Tempest and successful nan abstraction of a twelvemonth has demonstrated a accordant and accelerated improvement to go 1 of nan astir well-equipped cybercrime groups successful existence.

Among its capabilities that aren't often possessed by crews of its benignant are SMS phishing, SIM swapping, and precocious societal engineering – each skills that are useful for those looking to target English-speaking organizations.

It's possibly nan waste utilized to person salient ransomware outfit ALPHV/BlackCat to fto Octo Tempest subordinate its connection programme earlier this year. With BlackCat believed to person Russian ties, Microsoft said it was a notable move fixed that Eastern European ransomware groups typically garbage to do business pinch autochthonal English-speaking criminals.

After initially exploring ransomware arsenic portion of its toolset, Octo Tempest primitively conducted attacks without dropping an encryption payload, sticking pinch nan information extortion strategies it had adopted starting successful precocious 2022.

It has since branched retired into full-scale ransomware attacks and is specifically focusing its efforts connected exploiting VMware ESXi Servers, nan aforesaid benignant of attacks that befell MGM Resorts.

Octo Tempest is besides tracked utilizing different names by different information companies, specified arsenic Crowdstrike's Scattered Spider, and while Microsoft hasn't outright pinned Octo Tempest activity to nan attacks connected MGM, nan group has claimed responsibility for them.

The group's activities look overmuch different now compared to wherever they started successful early 2022, and Microsoft has divided its improvement into 3 phases.

During nan first phase, betwixt early and precocious 2022, Octo Tempest chiefly targeted mobile web operators (MNOs) and business process outsourcing organizations utilizing SIM-swapping attacks, trading these to different criminals who could past usage them to execute relationship takeovers and bargain cryptocurrency.

From location it formed its nett wider successful shape two, targeting telecoms companies arsenic good arsenic email and tech work providers, branching retired into information extortion attacks to monetize their intrusions.

Phase 3 was characterized by nan move to ransomware and different widening of its targets to see organizations successful nan gaming, hospitality, retail, manufacturing, earthy resources, financial services, and tech industries.

Octo Tempest's cardinal tactics

Microsoft said Octo Tempest exhibits a wide scope of techniques successful its attacks that are suggestive of a well-organized group consisting of aggregate knowledgeable individuals.

Often utilizing its societal engineering expertise to summation first entree to its targets' environments, nan group has besides successful uncommon cases shown a precocious grade of aggression and criminality successful its approaches.

Octo Tempest has been known to routinely target organizations' labor and helpdesk unit to execute its goals.

Group members person seen occurrence successful convincing labor to download morganatic distant monitoring devices which are past abused by nan criminals to motorboat attacks, arsenic good arsenic coercing them to malicious login portals to bargain their credentials and multi-factor authentication (MFA) convention cookies.

In utmost cases, nan attackers person been observed sending highly threatening SMS messages to victims successful bid to seduce them to manus complete their firm credentials, including threats to quality life.

The group is known for carrying retired extended investigation connected their targets, learning really to impersonate victims, and mimicking their circumstantial style of reside to look much convincing connected telephone calls.

Helpdesk unit person been targeted successful nan past by an Octo Tempest personnel attempting to walk themselves disconnected arsenic a caller worker to execute goals specified arsenic being legitimately onboarded to nan organization's IT systems.

  • Side transmission attacks return wound retired of Apple silicon pinch iLeakage exploit
  • ServiceNow softly addresses unauthenticated information vulnerability flaw from 2015
  • Pro-Russia group exploits Roundcube zero-day successful attacks connected European authorities emails
  • Seiko watches 60K individual information records tick distant successful BlackCat ransomware heist

The aforesaid method was utilized to initiate MFA changes and worker password resets, which are besides carried retired by nan group's SIM-swapping attacks connected occasion.

After gaining first access, Octo Tempest often engages successful find missions to stitchery arsenic overmuch accusation astir a institution arsenic possible, including worker onboarding processes, password policies, and distant entree methods.

Defenders tin look retired for PingCastle and ADRecon activity arsenic imaginable signals of Octo Tempest activity to analyse an organization's Active Directory. Govmoni and Pure Storage FlashArray are utilized to enumerate vCenter APIs and retention arrays respectively. The group often attempts to siphon information from Azure Active Directory related to users, groups, and devices.

It past turns to privilege escalation methods that often hinge connected societal engineering too, specified arsenic convincing a helpdesk staffer to reset a password, aliases done SIM-swapping attacks to takeover worker accounts.

Open root tooling for illustration Mimikatz, Hekatomb, MicroBurst, Jercretz, TruffleHog, and much are utilized for a assortment of tasks, including nan theft of secrets.

This tooling is often allowed to tally owed to nan group's discuss of accounts belonging to nan target organization's information team. The criminals past disable information products and reconfigure mailboxes to delete associated email alerts, usage nan privileged accounts to bargain information that's later utilized to extort nan victim, instal distant monitoring software, and execute persistence.

The afloat database of tooling Octo Tempest uses against its victims is elaborate extensively successful Microsoft's report connected nan group, including its "unorthodox" tips for proactive threat hunting and configurations for Azure and Entra ID.

As good arsenic educating their workforce connected nan blase and divers threat Octo Tempest presents, organizations were besides advised that their emblematic connection channels whitethorn not beryllium safe and out-of-band channels should beryllium considered, wherever possible.

The large 3 workplace collaboration platforms – Slack, Teams, and Zoom – person each been compromised by nan group earlier to bargain incident consequence plans from calls, arsenic good arsenic wide chat logs, which are past fed into devices for illustration Otter for transcription and later utilized successful extortion efforts.

Extra attraction should beryllium paid to morganatic distant monitoring devices arsenic these are often abused by nan attackers, Microsoft said. While it whitethorn not beryllium feasible to artifact these owed to nan request for their intended use, nan intent for which they're being utilized should beryllium monitored cautiously to debar nan attackers achieving persistence connected systems. ®