The financially motivated hacking group Octo Tempest, accountable for attacking MGM Resorts Worldwide and Caesars Leisure in September, has been branded “some of the harmful monetary felony teams” by Microsoft’s Incident Response and Menace Intelligence crew.
The group, often known as 0ktapus, Scattered Spider, and UNC3944, has been lively since early 2022, initially concentrating on telecom and outsourcing firms with SIM swap assaults.
It later shifted to extortion utilizing stolen knowledge, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak web site and later deploying the ransomware, specializing in VMWare ESXi servers.
Microsoft’s in-depth submit concerning the group and its in depth vary of techniques, methods, and procedures (TTPs) particulars the evolution of Octo Tempest and the fluidity of its operations.
“In latest campaigns, we noticed Octo Tempest leverage a various array of TTPs to navigate advanced hybrid environments, exfiltrate delicate knowledge, and encrypt knowledge,” the report notes. “Octo Tempest leverages tradecraft that many organizations do not have of their typical risk fashions, comparable to SMS phishing, SIM swapping, and superior social engineering methods.”
The Multi-Armed 0ktapus Cybercrime Playbook
The group positive factors preliminary entry by way of superior social superior social engineering methods, usually concentrating on staff with entry to community permissions, together with help and assist desk personnel.
The attackers name these people, and try to persuade them to reset consumer passwords, change or add authentication tokens, or set up a distant monitoring and administration (RMM) utility.
The group isn’t past leveraging private data, comparable to dwelling addresses and household names, and even making bodily threats, to coerce victims into sharing company entry credentials.
In the course of the preliminary phases of the assaults, Octo Tempest conducts in depth reconnaissance, which incorporates gathering knowledge on customers, teams, and gadget data, and exploring community structure, worker onboarding, and password insurance policies.
The group makes use of instruments together with PingCastle and ADRecon for Lively Listing reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.
They attain deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate entry and plan footholds for subsequent assault phases, a course of that helps the group improve their actions inside focused environments.
Partnering With Russians: Unprecedented Fusion of Techniques, Instruments
Callie Guenther, senior supervisor of cyber risk analysis at Vital Begin, says English-speaking Octo Tempest’s affiliation with the Russian-speaking BlackCat group signifies an “unprecedented fusion” of sources, technical instruments, and refined ransomware techniques.
“Traditionally, the distinct boundaries maintained between Japanese European and English-speaking cybercriminals supplied some semblance of regional demarcation,” she explains. “Now, this alliance permits Octo Tempest to function on a wider canvas, each geographically and by way of potential targets.”
She notes that the convergence of Japanese European cyber experience with the linguistic and cultural nuances of English-speaking associates enhances the localization and efficacy of their assaults.
From her perspective, the multifaceted method Octo Tempest employs is especially alarming.
“Past their technical prowess, they’ve mastered the artwork of social engineering, adapting their techniques to impersonate and mix seamlessly into focused organizations,” she says. “This, mixed with their alignment with the formidable BlackCat ransomware group, amplifies their risk manifold.”
She notes the actual concern emerges when one realizes they’ve diversified from particular industries to a broader spectrum and at the moment are unafraid to resort to outright bodily threats, showcasing a regarding escalation in cybercriminal techniques.
Tony Goulding, cybersecurity evangelist at Delinea, agrees the mix of subtle methods, broad scope of industries focused, and their aggressive method — even resorting to bodily threats — are essentially the most harmful points of the group.
“Organizations ought to be very involved,” he explains. “Being native English audio system, they’ll extra successfully launch wide-ranging social engineering campaigns in comparison with BlackCat.”
He says that is notably helpful when utilizing idiolect strategies to convincingly impersonate staff throughout telephone calls.
“Proficiency in English additionally helps them craft extra convincing phishing messages for his or her signature SMS phishing and SIM swapping methods,” he provides.
Protection In-Depth
Guenther says defending towards Octo Tempest’s monetary pursuits entails a sequence of proactive and reactive measures, adhering to the precept of least privilege to make sure restricted entry.
“Cryptocurrencies ought to be saved in offline chilly wallets to attenuate on-line publicity,” she advises. “Continuous system updates and anti-ransomware options can thwart most ransomware deployments.”
Superior community monitoring can detect anomalous knowledge flows, indicative of potential knowledge exfiltration makes an attempt.
“In case of breaches or assaults, a longtime incident response technique can information instant actions,” she provides. “Collaborative risk intelligence sharing with business friends may also preserve organizations abreast of rising threats and countermeasures.”
Goulding factors out training, consciousness coaching, and technical controls that vault privileged accounts and defend entry workstations and servers are key.
“Placing obstacles within the path of risk actors all alongside the assault chain, to divert them from their playbook and generate noise, is tremendous essential for early detection,” he says. “The extra superior and proficient the assault group, the higher ready they are going to be, so investing in the most effective instruments that embody trendy capabilities is your finest wager.”
