Octo Tempest emerges as a top financial hacking threat, warns Microsoft

Octo Tempest's evolution: from SIM swaps to ransomware attacks

Microsoft released a detailed report about the Octo Tempest hacking group

According to a thorough analysis by Microsoft,^[1] Octo Tempest has emerged as one of the most dangerous financial hacking groups in the constantly changing world of cybersecurity threats. With their advanced social engineering skills, this native English-speaking threat actor has been a growing concern for the tech giant as they target a variety of industries, including managed service providers (MSPs),^[2] gaming, hospitality, retail, manufacturing, technology, and cable telecommunications. According to Microsoft's research, this group is extremely flexible, technically adept, and well-organized.

The career of Octo Tempest in the realm of cybercrime started with ventures like SIM swap sales and account thefts of well-known people with cryptocurrency holdings. But their strategies soon became more complex as they tried to achieve more. The group moved on to data theft, phishing, social engineering, and mass password resets for consumers of compromised service providers.

Their goals also changed, especially once they joined the ALPHV/BlackCat ransomware organization and started concentrating on extortion and data encryption. The study from Microsoft sheds light on an odd trend that has occurred in the world of cybercrime: Octo Tempest has been associated with ransomware-as-a-service operations. They were able to use this change to distribute ransomware payloads for both Windows and Linux, with a current emphasis on VMware ESXi systems.

Advanced social engineering and infiltration techniques

Octo Tempest stands apart for a number of reasons, including its sophisticated social engineering methods. Because the hackers conduct thorough research on their targets, they are able to effectively imitate people and even copy voice patterns when on the phone. Technical administrators, including support and help desk employees, are the main targets of their social engineering attempts since they have the authorizations needed to enable the hackers' attacks. Octo Tempest uses a variety of techniques to get initial access, such as phishing, SMS phishing,^[3] SIM swapping, phoning victims into installing remote monitoring and management software, phishing, and even direct physical threats.

After gaining initial access, Octo Tempest moves on to the reconnaissance phase, gathering data that enables them to take advantage of legal pathways for infiltration. Subsequently, they persist in investigating the infrastructure, requesting more capabilities by utilizing hacked accounts or self-service password resets, among other techniques. To find plaintext keys, secrets, and passwords across code repositories, the team uses tools like Jercretz and TruffleHog.

Expert evasion and data theft

To avoid detection, Octo Tempest uses a range of strategies, such as disabling change notifications and altering mailbox rules to remove bogus emails. In order to disable security measures and products, the organization also targets security professionals. A variety of open-source remote access programs and Azure virtual machines for data transmission and remote access are part of their toolkit.

Octo Tempest employs a special method that combines automated pipelines with Azure Data Factory to transport stolen data while blending in with standard big data processes. Additionally, in order to speed up the transfer of SharePoint document libraries and files, they register authentic Microsoft 365 backup solutions.

Microsoft notes that because Octo Tempest uses a variety of tools, living-off-the-land tactics, and social engineering, it can be difficult to discover them in an area. They do, however, provide some broad principles to aid in spotting malicious activities. In this context, it's critical to monitor and assess identity-related activities, Azure environments, and endpoints.

Octo Tempest poses a serious danger to companies and organizations in a variety of industries due to their solely financial motivations, which they pursue through ransomware attacks, cryptocurrency theft, and data extortion. In order to combat this new threat, Microsoft's comprehensive research serves as a sobering warning and a call to action for more awareness and improved cybersecurity measures.