_Stephen_Street_alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
July 16, 2024 at 05:27PM
Microsoft’s Threat Intelligence Team warns of Octo Tempest, also known as Scattered Spider, adding RansomHub and Qilin to its attack arsenal. The threat actor uses sophisticated social engineering, identity compromises, and targets VMware ESXi servers. Notably, it is behind major ransomware attacks on Caesars Palace and MGM Entertainment. The group employs various tactics such as phishing and MFA bombing.
From the meeting notes, it is evident that the threat actor known as Octo Tempest, or Scattered Spider, has expanded its repository with the inclusion of RansomHub and Qilin for potential use in attacks. Microsoft’s Threat Intelligence Team has raised a warning about this development.
Octo Tempest has a history of utilizing sophisticated social engineering techniques and identity compromises, targeting VMware ESXi servers, and deploying BlackCat ransomware. Notably, they were behind the large-scale ransomware attacks on Caesars Palace and MGM Entertainment.
The group’s tactics, techniques, and procedures (TTPs) include impersonating IT employees, phishing, MFA bombing, SIM swapping, and gaining persistence using remote access tools. Additionally, Qilin ransomware, previously known as “Agenda,” rebranded in 2022 and targeted over 130 companies, demanding ransoms ranging from $25,000 to millions. The group is also developing a customizable Linux encryptor to target VMware ESXi servers.
RansomHub, on the other hand, is a ransomware-as-a-service (RaaS) offering that has gained popularity among threat actors, becoming one of the most common ransomware families today.
Octo Tempest’s activities have led to a significant number of investigations and incident response engagements for the Microsoft team, particularly through its “oktapus” campaign, which targeted over 130 well-known organizations.
This summary is a synthesized version of the provided meeting notes.