October 26, 2023 at 07:11PM
Octo Tempest is a threat actor group tracked by Microsoft, specializing in data extortion and ransomware attacks. They have evolved their tactics over time, targeting organizations in various sectors and partnering with the ALPHV/BlackCat ransomware group. With advanced social engineering capabilities, they gain initial access through phishing, social engineering, and other methods. They also use tools and techniques such as password resets, call forwarding, and compromising security personnel accounts. Detecting their activity can be challenging due to their diverse tooling and living-off-the-land techniques. Octo Tempest is financially motivated, seeking to steal cryptocurrency, extort data, or encrypt systems for ransom.
Takeaways from the meeting notes:
– Microsoft has identified a threat actor called Octo Tempest that primarily targets companies in data extortion and ransomware attacks.
– Octo Tempest’s attacks have evolved over time, starting with account theft and SIM swaps, then moving to phishing, social engineering, and data theft.
– The threat actor has recently become an affiliate of the ALPHV/BlackCat ransomware group and deploys both Windows and Linux ransomware payloads.
– Octo Tempest uses advanced social engineering techniques and physical threats to obtain account logins and advance their attacks.
– The group targets organizations in various sectors, including gaming, hospitality, retail, manufacturing, technology, and financial services.
– Octo Tempest is a well-organized group with members who have extensive technical knowledge.
– The threat actor gains initial access through social engineering targeting technical administrators with enough permissions to further the attack.
– They use various methods for initial access, including remote monitoring software, phishing sites, buying credentials, and SMS phishing.
– Once inside the network, Octo Tempest conducts reconnaissance, escalates privileges, and looks for additional credentials to expand their reach.
– They use tools like Jercretz and TruffleHog to search for plaintext keys, secrets, and passwords across code repositories.
– Octo Tempest targets security personnel accounts to disable security products and features and hide their presence on the network.
– They use a range of open-source tools and techniques, including Azure virtual machines, MFA methods, and tunneling tools.
– The threat actor employs Azure Data Factory and legitimate Microsoft 365 backup solutions to move stolen data to their servers.
– Detecting Octo Tempest in an environment is challenging due to their use of social engineering, living-off-the-land techniques, and diverse tooling.
– Monitoring and reviewing identity-related processes, Azure environments, and endpoints can help in detecting malicious activity.
– Octo Tempest is financially motivated and achieves their goals through stealing cryptocurrency, data theft extortion, or encrypting systems and demanding ransom.