October 26, 2023 at 06:56PM
Octo Tempest, a native English-speaking threat actor tracked by Microsoft, has evolved from selling SIM swaps and stealing cryptocurrency accounts to conducting data extortion and ransomware attacks. The group targets companies in various sectors and has partnered with the ALPHV/BlackCat ransomware group. They employ advanced social engineering techniques, physical threats, and various methods to gain initial access and escalate privileges. Octo Tempest also uses a range of tools and techniques to hide their presence and exfiltrate stolen data. Detecting their activity requires monitoring and reviewing identity-related processes, Azure environments, and endpoints. Their ultimate goal is financial gain through cryptocurrency theft, data extortion, or ransom demands.
The meeting notes discuss a threat actor known as Octo Tempest, which is a native English-speaking group with advanced social engineering capabilities. They target companies in data extortion and ransomware attacks. Octo Tempest’s attacks have evolved over time, starting with selling SIM swaps and stealing accounts with cryptocurrency assets. They then moved on to phishing, social engineering, and data theft. The group has targeted various sectors, including gaming, hospitality, retail, manufacturing, technology, and financial services. Octo Tempest has partnered with the ALPHV/BlackCat ransomware group and now uses ransomware to steal and encrypt victim data. They have also used physical threats to obtain account logins. In an unusual development, Octo Tempest has become an affiliate of the ALPHV/BlackCat ransomware-as-a-service operation and deploys both Windows and Linux ransomware payloads. Their recent attacks target organizations in multiple sectors. Microsoft assesses Octo Tempest as a well-organized group with members who have extensive technical knowledge. They often gain initial access through advanced social engineering, targeting accounts of technical administrators with sufficient permissions. The threat actor uses various methods for initial access, including installing remote monitoring and management software, stealing logins through phishing sites, buying credentials, or using SIM-swapping. Once they gain access, Octo Tempest conducts reconnaissance, explores infrastructure, and escalates privileges through social engineering techniques. They continue to look for additional credentials and use tools to search for plaintext keys and passwords. The hackers also target the accounts of security personnel to disable security products. Octo Tempest tries to remain hidden by suppressing alerts and modifying mailbox rules. They use multiple open-source tools and deploy Azure virtual machines for remote access. They also move stolen data using Azure Data Factory and register legitimate Microsoft 365 backup solutions. Detecting Octo Tempest in an environment is challenging due to their use of social engineering and diverse tooling. However, monitoring and reviewing identity-related processes, Azure environments, and endpoints can help detect malicious activity. Octo Tempest is financially motivated and achieves its goals through stealing cryptocurrency, data theft extortion, or encrypting systems and demanding a ransom.