A new report from Microsoft Incident Response and Microsoft Threat Intelligence teams exposed the activities and constant evolution of a financially oriented threat actor named Octo Tempest, who deploys advanced social engineering techniques to target companies, steal data and run ransomware campaigns.
Jump to:
Octo Tempest’s tactics, techniques and procedures
The threat actor deploys a variety of tactics, techniques and procedures to conduct its operations successfully.
Initial access
Octo Tempest commonly leverages social engineering attacks targeting people within companies who have access to more data than the average user, such as technical administrators, support or help desks. The group has been observed impersonating new employees in these attacks to blend into on-hire processes, according to Microsoft.
Using its social engineering skills, the group might call employees and trick them into installing a remote monitoring and management tool or browse a phishing site containing an Adversary in the Middle toolkit to bypass two-factor authentication and remove their FIDO2 token.
The group might also use smishing, sending SMS containing a phishing link to employees leading to a fake login page with an AitM toolkit, or initiate a SIM swap attack on employees’ phone numbers, to be able to reset their password once they are in control of the phone number.
In addition, Octo Tempest purchases valid credentials and session cookies for companies directly on cybercriminals’ underground marketplaces.
In rare instances, the group has used very aggressive physical threats to employees by phone call and SMS, using their personal information such as their home address or family member names, the goal being to get the victims’ credentials for corporate access.
Reconnaissance and discovery
Once a system is accessed, Octo Tempest runs various enumeration and information gathering actions. This data will enable the threat actor to know the organization better, export a list of users and groups, collect device information, and facilitate further compromise and possible abuse of legitimate channels for other malicious actions.
And, Octo Tempest tries to collect documents related to network architecture, remote access methods, password policies, credential vaults and employee onboarding.
The group explores the whole internal environment of the targeted organization, validates access, and enumerates databases and storage containers. They have been observed using PingCastle and ADRecon to perform reconnaissance of the Active Directory, Govmomi to enumerate vCenter APIs, the Pure Storage FlashArray PowerShell module to enumerate storage arrays and Advanced IP Scanner to probe internal networks.
More credentials and privileges
To elevate its privileges inside the corporate environment, Octo Tempest might call the help desk and social engineer the person answering the call into believing they’re talking to an administrator who needs to reset their password, or change their MFA token or add another one that the attacker owns.
In some cases, the group bypassed password reset procedures by using a compromised manager’s account to approve requests.
The threat actor constantly tries to collect more credentials and uses open-source tools such as TruffleHog to facilitate the identification of plaintext keys and secrets or credentials inside code repositories. Octo Tempest uses credential dumpers such as Mimikatz or LaZagne.
Defense evasion
Octo Tempest accesses IT staff accounts to turn off security products and features to avoid being detected. The threat actor leverages endpoint detection and response and device management technologies to allow the use of malicious tools, deploy additional software or steal data.
While a lot of threat actors disable security measures on a compromised system, Octo Tempest pushes it one step further by modifying the security staff mailbox rules to automatically delete emails from security vendors that might alert the staff.
Who is Octo Tempest?
Octo Tempest is a financially oriented threat actor whose members are native English-speakers. The group also goes by the names of 0ktapus, Scattered Spider, Scatter Swine and UNC3944.
The threat actor was initially spotted in 2022, targeting mobile telecommunication companies and business process outsourcing organizations to initiate SIM swaps, which they monetized by selling it to other criminals and performing cryptocurrency theft on affluent individuals.
Since then, Octo Tempest has constantly evolved (Figure A) and aggressively increased its activities to target cable telcos, email and technology organizations. The threat actor launched extortion operations on data stolen during the compromise of those companies.
Figure A
The group also ran large phishing campaigns targeting Okta identity credentials, which they used for subsequent supply chain attacks. Successful attacks on Twilio and Mailchimp, for example, can be attributed to the group.
Octo Tempest then became an affiliate of the ALPHV/BlackCat ransomware, a surprising move knowing that Eastern European ransomware groups typically refuse English-speaking affiliates. The group targeted a wider range of companies, including hospitality, consumer products, retail, manufacturing, gaming, natural resources, law, tech and financial services.
Microsoft noted the group is highly skilled: “In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data. Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.”
How to protect from the Octo Tempest threat actor
Roger Grimes, data-driven defense evangelist at KnowBe4, commented in a statement TechRepublic received via email:
“These are examples of highly sophisticated attacks across the spectrum of possible attacks and motives. Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks. The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyber attack methods and be taught how to recognize, mitigate, and appropriately report them. We know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start.”
Microsoft provided an extensive list of recommendations, which include:
- Identity management needs to be carefully monitored, with any change being analyzed closely; in particular, administrative changes must be checked.
- EDR modifications, especially new exclusions, must be carefully examined. Recent installations of remote administration tools must be scrutinized.
- Phishing-resistant multifactor authentication such as FIDO2 security keys should be deployed for administrators and all privileged users.
- Every employee should be educated about cybersecurity, especially on phishing techniques and social engineering, on a regular basis with different security awareness campaigns.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.