A large 5G SIM card with four people gathered around it.

Microsoft Exposes Octo Tempest, A serious Threat Involving SIM Swaps And Ransomware

Microsoft released an extensive investigation into Octo Tempest, a fluent English-speaking threat actor. The group is recognised for their excellent social engineering skills and mostly targets businesses. Their fraudulent activities include data extortion and ransomware attacks.

In addition to revealing the activities of a financially driven hacking group, Microsoft has classified the attackers as among the most serious financial crime groups. Microsoft highlighted their uncommon ability to operate, as well as their ability to incorporate SMS phishing, SIM swapping, and help desk fraud into the attack methods.

Since early 2022, Octo Tempest’s attacks have been growing at an alarming rate. They have expanded their targets to include companies involved in cable telecommunications, email, and digital services. Furthermore, they recently announced an alliance with the ALPHV/BlackCat ransomware group.

It’s interesting that the activities linked to Octo Tempest have been noticed by other cyber groups under other identities. These aliases include 0ktapus, Scatter Swine, and UNC3944. Notably, UNC3944 has continuously targeted Okta in order to get escalated privileges and breach particular networks.

Ransomware Attacks Begin as a Result of Account Theft

The threat actor first focused on selling SIM swaps and went after those who had significant virtual currency assets. This group often used a more disruptive strategy, including SMS and phone calls.

The texts contained the names and home addresses of family members. Getting the victims’ corporate access credentials was the aim of these strategies.

The Octo Tempest strategy is unusual for its focus on support and help desk employees. They do this by using social engineering techniques, which act as a first step towards obtaining privileged account access. Their plan is to use misinformation to convince these people to reset the victim’s password and change multi-factor authentication (MFA) settings.

Targeting Evolution of Octo Tempest and Ransomware Change
Targeting Evolution of Octo Tempest and Ransomware Change (Microsoft)

The group used the collective knowledge to develop more sophisticated and potent attack plans. They also began to use their breaches to their advantage by extorting individuals after obtaining their data. Interestingly, Microsoft notes that Octo Tempest occasionally turned to actual physical threats to get login credentials that would further their attack.

Messages from Octo Tempest Threatening Account Logins
Messages from Octo Tempest Threatening Account Logins (Microsoft)

Although Octo Tempest did not use encryption payloads in their initial attacks, they did investigate the idea of adding ransomware to their arsenal. Instead, they kept using the data extortion strategies they had been using since late 2022.

They eventually evolved into more massive ransomware attacks. Their current focus is on targeting VMware ESXi servers, which mirrors the type of attacks that previously hit MGM Resorts.

The most recent attacks by this group have targeted a wide range of industries, including gambling, natural resources, hotels, consumer products, retail, managed service providers, manufacturing, legal, technology, and financial services.

Challenges in Hunting Octo Tempest

Octo Tempest is a well-planned group with multiple hands-on keyboard operators and employees with strong technical abilities, according to Microsoft’s assessment.

After gaining antlers, the attackers begin to carry out social reconnaissance. The next step is to increase their privileges, which they achieve by obtaining a tonne of user, group, and role information and stealing password policies.

Using hacked accounts of security staff members within targeted organisations is part of their strategy. Their objective is to interfere with security tools’ regular operations so they may continue to operate undetected. They also change the mailbox rules of the security staff, leading to automatic deletion of emails from vendors.

Octo Tempest’s extensive toolkit and strategies show a high level of technical proficiency. They can effortlessly navigate complex hybrid configurations by reusing tokens they have gathered with validated MFA claims. They also enrol devices controlled by their team in device management software to bypass security measures.

Microsoft emphasises that tracking down or identifying this threat actor inside an environment is a challenging task. They use a variety of technologies, surviving off the land tactics, and social engineering to make it difficult.

However, researchers provide some general recommendations for detecting illegal activities. This involves monitoring and analysing identity-related processes, Azure environments, and endpoints. Octo Tempest is financially motivated and accomplishes its objectives via stealing cryptocurrencies, engaging in data theft extortion, or encrypting computers and demanding ransoms.

Ensuring that all staff engage in continuous cybersecurity training is important, with a particular focus on issues like social engineering and phishing approaches. Offer this training through a range of security awareness programmes.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts