The financially motivated hacking group Octo Tempest, accountable for attacking MGM Resorts Worldwide and Caesars Leisure in September, has been branded “some of the harmful monetary legal teams” by Microsoft’s Incident Response and Risk Intelligence crew.
The group, often known as 0ktapus, Scattered Spider, and UNC3944, has been energetic since early 2022, initially focusing on telecom and outsourcing firms with SIM swap assaults.
It later shifted to extortion utilizing stolen information, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak website and later deploying the ransomware, specializing in VMWare ESXi servers.
Microsoft’s in-depth publish concerning the group and its intensive vary of ways, methods, and procedures (TTPs) particulars the evolution of Octo Tempest and the fluidity of its operations.
“In current campaigns, we noticed Octo Tempest leverage a various array of TTPs to navigate advanced hybrid environments, exfiltrate delicate information, and encrypt information,” the report notes. “Octo Tempest leverages tradecraft that many organizations haven’t got of their typical menace fashions, comparable to SMS phishing, SIM swapping, and superior social engineering methods.”
The Multi-Armed 0ktapus Cybercrime Playbook
The group good points preliminary entry by means of superior social superior social engineering methods, usually focusing on workers with entry to community permissions, together with help and assist desk personnel.
The attackers name these people, and try to persuade them to reset consumer passwords, change or add authentication tokens, or set up a distant monitoring and administration (RMM) utility.
The group isn’t past leveraging private data, comparable to dwelling addresses and household names, and even making bodily threats, to coerce victims into sharing company entry credentials.
Through the preliminary levels of the assaults, Octo Tempest conducts intensive reconnaissance, which incorporates gathering information on customers, teams, and gadget data, and exploring community structure, worker onboarding, and password insurance policies.
The group makes use of instruments together with PingCastle and ADRecon for Lively Listing reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.
They attain deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate entry and plan footholds for subsequent assault phases, a course of that helps the group improve their actions inside focused environments.
Partnering With Russians: Unprecedented Fusion of Ways, Instruments
Callie Guenther, senior supervisor of cyber menace analysis at Essential Begin, says English-speaking Octo Tempest’s affiliation with the Russian-speaking BlackCat group signifies an “unprecedented fusion” of assets, technical instruments, and refined ransomware ways.
“Traditionally, the distinct boundaries maintained between Japanese European and English-speaking cybercriminals supplied some semblance of regional demarcation,” she explains. “Now, this alliance permits Octo Tempest to function on a wider canvas, each geographically and when it comes to potential targets.”
She notes that the convergence of Japanese European cyber experience with the linguistic and cultural nuances of English-speaking associates enhances the localization and efficacy of their assaults.
From her perspective, the multifaceted method Octo Tempest employs is especially alarming.
“Past their technical prowess, they’ve mastered the artwork of social engineering, adapting their ways to impersonate and mix seamlessly into focused organizations,” she says. “This, mixed with their alignment with the formidable BlackCat ransomware group, amplifies their menace manifold.”
She notes the actual concern emerges when one realizes they’ve diversified from particular industries to a broader spectrum and at the moment are unafraid to resort to outright bodily threats, showcasing a regarding escalation in cybercriminal ways.
Tony Goulding, cybersecurity evangelist at Delinea, agrees the mix of subtle methods, broad scope of industries focused, and their aggressive method — even resorting to bodily threats — are probably the most harmful elements of the group.
“Organizations needs to be very involved,” he explains. “Being native English audio system, they will extra successfully launch wide-ranging social engineering campaigns in comparison with BlackCat.”
He says that is notably helpful when utilizing idiolect strategies to convincingly impersonate workers throughout telephone calls.
“Proficiency in English additionally helps them craft extra convincing phishing messages for his or her signature SMS phishing and SIM swapping methods,” he provides.
Protection In-Depth
Guenther says defending in opposition to Octo Tempest’s monetary pursuits entails a sequence of proactive and reactive measures, adhering to the precept of least privilege to make sure restricted entry.
“Cryptocurrencies needs to be saved in offline chilly wallets to attenuate on-line publicity,” she advises. “Continuous system updates and anti-ransomware options can thwart most ransomware deployments.”
Superior community monitoring can detect anomalous information flows, indicative of potential information exfiltration makes an attempt.
“In case of breaches or assaults, a longtime incident response technique can information instant actions,” she provides. “Collaborative menace intelligence sharing with trade friends also can maintain organizations abreast of rising threats and countermeasures.”
Goulding factors out training, consciousness coaching, and technical controls that vault privileged accounts and defend entry workstations and servers are key.
“Placing obstacles within the path of menace actors all alongside the assault chain, to divert them from their playbook and generate noise, is tremendous necessary for early detection,” he says. “The extra superior and proficient the assault group, the higher ready they are going to be, so investing in the very best instruments that embrace trendy capabilities is your greatest guess.”
