A new report from Microsoft Incident Response and Microsoft Menace Intelligence groups uncovered the actions and fixed evolution of a financially oriented menace actor named Octo Tempest, who deploys superior social engineering strategies to focus on firms, steal knowledge and run ransomware campaigns.
Bounce to:
Octo Tempest’s techniques, strategies and procedures
The menace actor deploys quite a lot of techniques, strategies and procedures to conduct its operations efficiently.
Preliminary entry
Octo Tempest generally leverages social engineering assaults focusing on individuals inside firms who’ve entry to extra knowledge than the typical consumer, equivalent to technical directors, assist or assist desks. The group has been noticed impersonating new staff in these assaults to mix into on-hire processes, based on Microsoft.
Utilizing its social engineering abilities, the group may name staff and trick them into putting in a distant monitoring and administration instrument or browse a phishing website containing an Adversary within the Center toolkit to bypass two-factor authentication and take away their FIDO2 token.
The group may also use smishing, sending SMS containing a phishing hyperlink to staff resulting in a faux login web page with an AitM toolkit, or provoke a SIM swap assault on staff’ cellphone numbers, to have the ability to reset their password as soon as they’re in charge of the cellphone quantity.
As well as, Octo Tempest purchases legitimate credentials and session cookies for firms straight on cybercriminals’ underground marketplaces.
In uncommon cases, the group has used very aggressive bodily threats to staff by cellphone name and SMS, utilizing their private info equivalent to their dwelling deal with or member of the family names, the purpose being to get the victims’ credentials for company entry.
Reconnaissance and discovery
As soon as a system is accessed, Octo Tempest runs numerous enumeration and data gathering actions. This knowledge will allow the menace actor to know the group higher, export an inventory of customers and teams, accumulate machine info, and facilitate additional compromise and doable abuse of legit channels for different malicious actions.
And, Octo Tempest tries to gather paperwork associated to community structure, distant entry strategies, password insurance policies, credential vaults and worker onboarding.
The group explores the entire inside surroundings of the focused group, validates entry, and enumerates databases and storage containers. They’ve been noticed utilizing PingCastle and ADRecon to carry out reconnaissance of the Energetic Listing, Govmomi to enumerate vCenter APIs, the Pure Storage FlashArray PowerShell module to enumerate storage arrays and Superior IP Scanner to probe inside networks.
Extra credentials and privileges
To raise its privileges inside the company surroundings, Octo Tempest may name the assistance desk and social engineer the individual answering the decision into believing they’re speaking to an administrator who must reset their password, or change their MFA token or add one other one which the attacker owns.
In some instances, the group bypassed password reset procedures by utilizing a compromised supervisor’s account to approve requests.
The menace actor always tries to gather extra credentials and makes use of open-source instruments equivalent to TruffleHog to facilitate the identification of plaintext keys and secrets and techniques or credentials inside code repositories. Octo Tempest makes use of credential dumpers equivalent to Mimikatz or LaZagne.
Protection evasion
Octo Tempest accesses IT workers accounts to show off safety merchandise and options to keep away from being detected. The menace actor leverages endpoint detection and response and machine administration applied sciences to permit the usage of malicious instruments, deploy extra software program or steal knowledge.
Whereas quite a lot of menace actors disable safety measures on a compromised system, Octo Tempest pushes it one step additional by modifying the safety workers mailbox guidelines to robotically delete emails from safety distributors that may alert the workers.
Who’s Octo Tempest?
Octo Tempest is a financially oriented menace actor whose members are native English-speakers. The group additionally goes by the names of 0ktapus, Scattered Spider, Scatter Swine and UNC3944.
The menace actor was initially noticed in 2022, focusing on cellular telecommunication firms and enterprise course of outsourcing organizations to provoke SIM swaps, which they monetized by promoting it to different criminals and performing cryptocurrency theft on prosperous people.
Since then, Octo Tempest has always advanced (Determine A) and aggressively elevated its actions to focus on cable telcos, electronic mail and know-how organizations. The menace actor launched extortion operations on knowledge stolen in the course of the compromise of these firms.
Determine A
The group additionally ran massive phishing campaigns focusing on Okta identification credentials, which they used for subsequent provide chain assaults. Profitable assaults on Twilio and Mailchimp, for instance, might be attributed to the group.
Octo Tempest then turned an affiliate of the ALPHV/BlackCat ransomware, a shocking transfer understanding that Japanese European ransomware teams sometimes refuse English-speaking associates. The group focused a wider vary of firms, together with hospitality, shopper merchandise, retail, manufacturing, gaming, pure sources, regulation, tech and monetary companies.
Microsoft famous the group is very expert: “In latest campaigns, we noticed Octo Tempest leverage a various array of TTPs to navigate advanced hybrid environments, exfiltrate delicate knowledge, and encrypt knowledge. Octo Tempest leverages tradecraft that many organizations don’t have of their typical menace fashions, equivalent to SMS phishing, SIM swapping, and superior social engineering strategies.”
The best way to shield from the Octo Tempest menace actor
Roger Grimes, data-driven protection evangelist at KnowBe4, commented in an announcement TechRepublic acquired through electronic mail:
“These are examples of extremely subtle assaults throughout the spectrum of doable assaults and motives. Each group should create its greatest defense-in-depth cyber protection plan utilizing the most effective mixture of insurance policies, technical defenses, and training, to greatest mitigate the danger of those assaults. The strategies and class of those assaults have to be shared to staff. They want numerous examples. Workers want to have the ability to acknowledge the varied cyber assault strategies and be taught how you can acknowledge, mitigate, and appropriately report them. We all know that fifty% to 90% contain social engineering and 20% to 40% contain unpatched software program and firmware, so no matter a corporation can do to greatest battle these two assault strategies is the place they need to probably begin.”
Microsoft supplied an intensive record of suggestions, which embrace:
- Identification administration must be rigorously monitored, with any change being analyzed carefully; particularly, administrative adjustments have to be checked.
- EDR modifications, particularly new exclusions, have to be rigorously examined. Latest installations of distant administration instruments have to be scrutinized.
- Phishing-resistant multifactor authentication equivalent to FIDO2 safety keys ought to be deployed for directors and all privileged customers.
- Each worker ought to be educated about cybersecurity, particularly on phishing strategies and social engineering, frequently with totally different safety consciousness campaigns.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.
