Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit
Gang thought to be behind attack on MGM Resorts has a skillset larger than most cybercrime groups in existence
Microsoft's latest report on "one of the most dangerous financial criminal groups" operating offers security pros an abundance of threat intelligence to protect themselves from its myriad tactics.
The "unique" native English-speaking group is tracked by Microsoft as Octo Tempest and in the space of a year has demonstrated a consistent and rapid evolution to become one of the most well-equipped cybercrime groups in existence.
Among its capabilities that aren't often possessed by crews of its kind are SMS phishing, SIM swapping, and advanced social engineering – all skills that are useful for those looking to target English-speaking organizations.
It's perhaps the sell used to convince prominent ransomware outfit ALPHV/BlackCat to let Octo Tempest join its affiliate program earlier this year. With BlackCat believed to have Russian ties, Microsoft said it was a notable move given that Eastern European ransomware groups typically refuse to do business with native English-speaking criminals.
After initially exploring ransomware as part of its toolset, Octo Tempest originally conducted attacks without dropping an encryption payload, sticking with the data extortion tactics it had adopted starting in late 2022.
It has since branched out into full-scale ransomware attacks and is specifically focusing its efforts on exploiting VMware ESXi Servers, the same kind of attacks that befell MGM Resorts.
Octo Tempest is also tracked using other names by different security companies, such as Crowdstrike's Scattered Spider, and while Microsoft hasn't outright pinned Octo Tempest activity to the attacks on MGM, the group has claimed responsibility for them.
The group's activities look much different now compared to where they started in early 2022, and Microsoft has split its evolution into three phases.
During the first phase, between early and late 2022, Octo Tempest mainly targeted mobile network operators (MNOs) and business process outsourcing organizations using SIM-swapping attacks, selling these to other criminals who could then use them to perform account takeovers and steal cryptocurrency.
From there it cast its net wider in phase two, targeting telecoms companies as well as email and tech service providers, branching out into data extortion attacks to monetize their intrusions.
Phase three was characterized by the switch to ransomware and another widening of its targets to include organizations in the gaming, hospitality, retail, manufacturing, natural resources, financial services, and tech industries.
Octo Tempest's key tactics
Microsoft said Octo Tempest exhibits a wide range of techniques in its attacks that are indicative of a well-organized group consisting of multiple experienced individuals.
Often using its social engineering expertise to gain initial access to its targets' environments, the group has also in rare cases shown a high degree of aggression and criminality in its approaches.
Octo Tempest has been known to routinely target organizations' employees and helpdesk staff to achieve its goals.
Group members have seen success in convincing employees to download legitimate remote monitoring tools which are then abused by the criminals to launch attacks, as well as coercing them to malicious login portals to steal their credentials and multi-factor authentication (MFA) session cookies.
In extreme cases, the attackers have been observed sending highly threatening SMS messages to victims in order to persuade them to hand over their corporate credentials, including threats to human life.
The group is known for carrying out extensive research on their targets, learning how to impersonate victims, and mimicking their specific style of speech to appear more convincing on phone calls.
Helpdesk staff have been targeted in the past by an Octo Tempest member attempting to pass themselves off as a new employee to achieve goals such as being legitimately onboarded to the organization's IT systems.
- Side channel attacks take bite out of Apple silicon with iLeakage exploit
- ServiceNow quietly addresses unauthenticated data exposure flaw from 2015
- Pro-Russia group exploits Roundcube zero-day in attacks on European government emails
- Seiko watches 60K personal data records tick away in BlackCat ransomware heist
The same technique was used to initiate MFA changes and employee password resets, which are also carried out by the group's SIM-swapping attacks on occasion.
After gaining initial access, Octo Tempest often engages in discovery missions to gather as much information about a company as possible, including employee onboarding processes, password policies, and remote access methods.
Defenders can look out for PingCastle and ADRecon activity as potential signals of Octo Tempest activity to investigate an organization's Active Directory. Govmoni and Pure Storage FlashArray are used to enumerate vCenter APIs and storage arrays respectively. The group often attempts to siphon data from Azure Active Directory related to users, groups, and devices.
It then turns to privilege escalation methods that often hinge on social engineering too, such as convincing a helpdesk staffer to reset a password, or through SIM-swapping attacks to takeover employee accounts.
Open source tooling like Mimikatz, Hekatomb, MicroBurst, Jercretz, TruffleHog, and more are used for a variety of tasks, including the theft of secrets.
This tooling is often allowed to run due to the group's compromise of accounts belonging to the target organization's security team. The criminals then disable security products and reconfigure mailboxes to delete associated email alerts, use the privileged accounts to steal data that's later used to extort the victim, install remote monitoring software, and achieve persistence.
The full list of tooling Octo Tempest uses against its victims is detailed extensively in Microsoft's report on the group, including its "unorthodox" tips for proactive threat hunting and configurations for Azure and Entra ID.
As well as educating their workforce on the sophisticated and diverse threat Octo Tempest presents, organizations were also advised that their typical communication channels may not be safe and out-of-band channels should be considered, where possible.
The big three workplace collaboration platforms – Slack, Teams, and Zoom – have all been compromised by the group before to steal incident response plans from calls, as well as general chat logs, which are then fed into tools like Otter for transcription and later used in extortion efforts.
Extra attention should be paid to legitimate remote monitoring tools as these are often abused by the attackers, Microsoft said. While it may not be feasible to block these due to the need for their intended use, the purpose for which they're being used should be monitored carefully to avoid the attackers achieving persistence on systems. ®