Meet Octo Tempest, 'Most Dangerous Financial' HackersOcto Tempest Hacked Las Vegas, Twilio and Hooked Up With BlackCat
A financially motivated hacking group is becoming more aggressive, leading Microsoft to dub it "one of the most dangerous financial criminal groups."
Octo Tempest, also tracked as UNC3944 and 0ktapus, only months ago became the rare English-speaking affiliate of Russian-speaking ransomware group BlackCat, Microsoft wrote in a Wednesday blog post. "Historically, Eastern European ransomware groups refused to do business with native English-speaking criminals."
Octo Tempest attacks are well-organized and prolific, "indicative of extensive technical depth and multiple hands-on-keyboard operators."
Cyber defenders first spotted the group in early 2022, targeting mobile telecommunications and business process outsourcing organizations for SIM swaps. Mandiant traced ransomware attacks against Las Vegas casinos in September to the group (see: Caesars Entertainment Reportedly Pays Ransom to Attackers).
It was also behind a 2022 campaign that compromised more than 130 organizations, including customer engagement platform Twilio and email service provider Mailchimp (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort).
In June, Octo Tempest started deploying ransomware payloads developed by BlackCat - also known as Alphv - for Windows and Linux systems, more recently focusing on VMWare ESXi servers.
Octo Tempest was known to target cable telecommunications, email and technology organizations. Now it has broadened the scope of industries targeted for extortion which includes natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology and financial services.
Octo Tempest launches social engineering attacks targeting support and help desk personnel after conducting research on the organization.
It identifies potential targets and impersonate victims, mimicking "idiolect on phone calls and understanding personally identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication methods."
The hackers impersonate newly hired employees to blend into normal on-hire processes. They primarily gain initial access to an organization using one of several methods:
- Installing a remote monitoring and management utility;
- Navigating to a site configured with a fake login portal using an adversary-in-the-middle toolkit;
- Removing their FIDO2 token;
- Purchasing an employee's credentials or session tokens on a criminal market;
- SMS phishing employee phone numbers with a link to a site configured with a fake login portal using an adversary-in-the-middle toolkit;
- Using an employee's pre-existing access to mobile telecommunications and business process outsourcing organizations to initiate a SIM swap or to set up call number forwarding on an employee's phone number. The attackers initiate a self-service password reset of the user's account once they have gained control of the employee's phone number;
- Octo Tempest in rare instances resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts, along with physical threats to coerce victims into sharing credentials for corporate access.
The attackers begin their attack by performing "various enumeration and information gathering actions" to gain further access into the targeted environments and abuse legitimate channels for follow-on actions later in the attack chain.
"Initial bulk-export of users, groups, and device information is closely followed by enumerating data and resources readily available to the user's profile within virtual desktop infrastructure or enterprise-hosted resources," Microsoft said.
Octo Tempest uses its access to internal networks to carry out broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies and credential vaults.
It performs exploration through multi-cloud environments, enumerating access and resources across cloud environments, code repositories, server and backup management infrastructure. This is when the threat actor validates access, tallies databases and storage containers and plans footholds to aid further phases of the attack.
"The goal of Octo Tempest remains financially motivated, but the monetization techniques observed across industries vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment," researchers said.
Microsoft found that Octo Tempest accesses data from code repositories, large document management and storage systems including SharePoint, SQL databases, cloud storage blobs/buckets and email, using legitimate management clients such as DBeaver, MongoDB Compass, Azure SQL Query Editor, and Cerebrata for the purpose of connection and collection.
The threat actor employs an anonymous file-hosting service that could be GoFile.io, Sh.Azl, StorjShare, Temp.sh, MegaSync, Paste.ee, Backblaze and AWS S3 buckets for data exfiltration.
"Octo Tempest employs a unique technique using the data movement platform Azure Data Factory and automated pipelines to extract data to external actor hosted Secure File Transfer Protocol servers, aiming to blend in with typical big data operations," Microsoft said.