October 27, 2023 at 09:15AM
Microsoft has released a report on Octo Tempest, a dangerous financial criminal group. The group, which primarily targets English-speaking organizations, is skilled in SMS phishing, SIM swapping, and advanced social engineering. Originally focused on data extortion, Octo Tempest has now expanded to full-scale ransomware attacks. The group uses various tactics, including social engineering, intelligence gathering, and privilege escalation. Organizations are advised to educate their workforce, use secure communication channels, and monitor the use of remote monitoring tools.
Key takeaways from the meeting notes:
1. Microsoft has identified a cybercrime group called Octo Tempest as one of the most dangerous financial criminal groups operating currently. This group has rapidly evolved over the past year and possesses unique capabilities such as SMS phishing, SIM swapping, and advanced social engineering.
2. Octo Tempest recently joined the affiliate program of prominent ransomware outfit ALPHV/BlackCat, which is notable as Eastern European ransomware groups typically do not collaborate with native English-speaking criminals.
3. Initially, Octo Tempest focused on data extortion tactics but has since expanded into full-scale ransomware attacks, specifically targeting VMware ESXi Servers, similar to the attacks on MGM Resorts.
4. Octo Tempest is known by various names across different security companies, such as Crowdstrike’s Scattered Spider. While Microsoft has not directly linked Octo Tempest to the MGM attacks, the group has claimed responsibility for them.
5. The group’s tactics involve social engineering, targeting employees and helpdesk staff of organizations. They have been successful in convincing employees to download legitimate remote monitoring tools that are then misused for launching attacks. They also coerce employees for malicious login portals and steal credentials and multi-factor authentication session cookies.
6. Octo Tempest conducts extensive research on their targets, learning how to impersonate victims and mimic their specific style of speech to appear more convincing during phone calls.
7. After gaining initial access, Octo Tempest conducts discovery missions to gather detailed information about the target organization, including onboarding processes, password policies, and remote access methods.
8. The group utilizes open-source tools such as Mimikatz, Hekatomb, MicroBurst, Jercretz, TruffleHog, and more for various tasks, including stealing secrets. They compromise security team accounts to disable security products, steal data, install remote monitoring software, and maintain persistence.
9. Octo Tempest has compromised workplace collaboration platforms like Slack, Teams, and Zoom to steal incident response plans and general chat logs for later use in extortion efforts.
10. Organizations are advised to educate their workforce about Octo Tempest’s techniques, consider using out-of-band communication channels, monitor the use of legitimate remote monitoring tools, and pay extra attention to securing workplace collaboration platforms.