< img src="https://www.techrepublic.com/wp-content/uploads/2022/11/tr-google-cloud-confidential-computing.jpeg"alt=""> A brand-new report from Microsoft Event Action and Microsoft Danger Intelligence teams exposed the activities and constant evolution of a financially oriented danger star named Octo Tempest, who deploys advanced social engineering strategies to target companies, take information and run ransomware projects. Jump to: Octo Tempest’s tactics, techniques and procedures The danger star releases a range of strategies, techniques and procedures to conduct its operations successfully.
Initial gain access to
Octo Tempest commonly leverages social engineering attacks targeting individuals within business who have access to more information than the typical user, such as technical administrators, support or assistance desks. The group has actually been observed impersonating new staff members in these attacks to mix into on-hire processes, according to Microsoft. Must-read security protection Utilizing its social engineering abilities, the group might call workers and trick them into installing a remote monitoring and management tool or search a phishing site consisting of an Adversary in the Middle toolkit to bypass two-factor authentication and
remove their FIDO2 token. The group might also utilize smishing, sending SMS containing a phishing link to employees resulting in a phony login page with an AitM toolkit, or start a SIM swap attack on workers’ phone numbers, to be able to
reset their password once they are in control of the phone number. In addition, Octo Tempest purchases legitimate credentials and session cookies for companies directly on cybercriminals’underground marketplaces. In rare instances, the group has actually utilized extremely aggressive physical risks to workers by call and SMS, utilizing their personal details such as their home address
or member of the family names, the objective being to get the victims’qualifications for corporate gain access to. Reconnaissance and discovery Once a system is accessed
, Octo Tempest runs numerous enumeration and info gathering actions. This data will enable the risk actor to understand the organization better, export a list of users and groups, gather gadget info, and facilitate further compromise and possible abuse of genuine channels for
other malicious actions. And, Octo Tempest attempts to collect documents connected to network architecture, remote access methods, password policies, credential vaults and staff member onboarding. The group checks out the entire internal environment of the targeted organization, confirms access, and specifies databases and storage containers. They have actually been observed using PingCastle and ADRecon to perform reconnaissance of the Active Directory, Govmomi to specify vCenter APIs, the Pure Storage FlashArray PowerShell module to identify storage arrays and Advanced IP Scanner
to penetrate internal networks. More credentials and advantages To elevate its privileges inside the business environment, Octo Tempest may call the aid desk and social engineer the person addressing the call into believing they’re talking with an administrator
who needs to reset their password, or alter their MFA token or add another one that the aggressor owns. In many cases, the group bypassed password reset procedures by using a compromised supervisor’s account to authorize demands. The danger star constantly tries to collect more qualifications and utilizes open-source tools such as TruffleHog to help with the recognition of plaintext secrets and tricks or credentials inside code repositories. Octo Tempest utilizes credential dumpers
such as Mimikatz or LaZagne. Defense evasion Octo Tempest accesses IT staff accounts to switch off security items and functions to avoid being detected. The threat star leverages endpoint detection and reaction and gadget management technologies to permit the usage of destructive tools, deploy extra software or steal information. While a great deal of hazard stars disable security procedures on
a compromised system, Octo Tempest pushes it one action further by customizing the security staff mailbox rules to automatically delete emails from security vendors that may notify the personnel. Who is Octo Tempest? Octo Tempest is an economically oriented hazard star whose members are native English-speakers. The group also goes by the names of 0ktapus, Scattered Spider, Scatter Swine and UNC3944. The threat star was initially identified in 2022, targeting mobile telecommunication companies and service procedure contracting out companies to initiate SIM swaps, which they generated income from by selling it to other bad guys and carrying out cryptocurrency theft on wealthy individuals. Ever since, OctoTempest has actually constantly developed(Figure A)and aggressively increased its activities to target cable telcos, email and innovation organizations. The hazard star released extortion operations on data taken during the compromise of those companies. Figure A Octo Tempest’s development from early 2022 to mid 2023. Image: Microsoft The group also ran big phishing projects targeting Okta identity credentials, which they utilized for
subsequent supply chain attacks. Effective attacks on Twilio and Mailchimp, for example, can be credited to the group. Octo Tempest then became an affiliate of the ALPHV/BlackCat ransomware, an unexpected relocation knowing that Eastern European ransomware groups generally decline English-speaking affiliates. The group targeted a larger series of business, including hospitality, consumer items, retail, production, gaming, natural resources, law, tech and monetary services. Microsoft noted the group is extremely competent:”In recent projects, we observed Octo Tempest take advantage of a varied variety of TTPs to navigate intricate hybrid environments, exfiltrate delicate information, and secure information. Octo Tempest leverages tradecraft that many organizations do not have in their common hazard models, such as SMS phishing, SIM swapping, and advanced social engineering methods.”How to safeguard from the Octo Tempest hazard star Roger Grimes, data-driven defense evangelist at KnowBe4, commented in a statement TechRepublic received through email:” These are examples of highly advanced attacks across the spectrum of possible attacks and intentions. Every organization should develop its finest defense-in-depth cyber defense strategy utilizing the very best mix of policies, technical defenses, and education, to finest reduce the threat of
these attacks
. The techniques and sophistication of these attacks need to be shared to employees. They need lots of examples. Workers need to be able to acknowledge the different cyber attack methods and be taught how to recognize, reduce, and appropriately report them. We understand that 50%to 90%involve social engineering and 20 %to 40 %involve unpatched software and firmware, so whatever a company can do to best fight those 2 attack techniques is where they must likely begin.”Microsoft provided a substantial list of recommendations, which include: Identity management requires to be thoroughly kept track of, with any modification being examined
closely; in particular, administrative modifications must be checked. EDR adjustments, specifically brand-new exclusions, must be thoroughly examined. Recent installations of remote administration tools need to be inspected. Phishing-resistant multifactor authentication such as FIDO2 security keys ought to be deployed for administrators and all fortunate users. Every staff member needs to be educated about cybersecurity, especially on phishing methods and social engineering, on a regular basis with various security awareness campaigns. Disclosure: I work for Trend Micro, however the views expressed in this short article are mine. Source
