Microsoft profiles new risk group with uncommon however efficient practices

[ad_1]

This is not what a hacker looks like. Except on hacker cosplay night.
Enlarge / This isn’t what a hacker seems like. Besides on hacker cosplay night time.

Microsoft has been monitoring a risk group that stands out for its potential to money in from knowledge theft hacks that use broad social engineering assaults, painstaking analysis, and occasional bodily threats.

Not like many ransomware assault teams, Octo Tempest, as Microsoft has named the group, doesn’t encrypt knowledge after gaining unlawful entry to it. As an alternative, the risk actor threatens to share the info publicly until the sufferer pays a hefty ransom. To defeat targets’ defenses, the group resorts to a number of strategies, which, in addition to social engineering, contains SIM swaps, SMS phishing, and stay voice calls. Over time, the group has grown more and more aggressive, at instances resorting to threats of bodily violence if a goal doesn’t adjust to directions to show over credentials.

“In uncommon cases, Octo Tempest resorts to fear-mongering techniques, concentrating on particular people by telephone calls and texts,” Microsoft researchers wrote in a submit on Wednesday. “These actors use private info, reminiscent of dwelling addresses and household names, together with bodily threats to coerce victims into sharing credentials for company entry.”

Threats sent by Octo Tempest to targets.
Enlarge / Threats despatched by Octo Tempest to targets.

Microsoft

Octo Tempest first got here to note early final 12 months because it used SIM swaps to ensnare corporations that present cellular telecommunications processing providers to different corporations. The group would then promote the unauthorized entry it gained by these swaps to different crime teams or use them to carry out account takeovers of high-net-worth people to steal their cryptocurrency. By the top of the 12 months, the group had broadened its strategies and expanded its targets to incorporate cable telecommunications, e-mail, and know-how organizations. Round this time, it started extorting victims whose knowledge it had stolen, generally resorting to bodily threats.

Earlier this 12 months, the native-English-speaking group turned an affiliate of the ALPHV/BlackCat ransom-as-a-service operation. That made the group stand out since Jap European ransomware crime syndicates hardly ever settle for English-speaking members. Octo Tempest’s ALPHV/BlackCat ransomware assaults goal each Home windows and Linux variations methods, typically after they run on VMWare ESXi servers. Targets typically are in industries together with pure sources, gaming, hospitality, shopper merchandise, retail, managed service suppliers, manufacturing, legislation, know-how, and monetary providers.

The evolution of Octo Tempest’s targeting, actions, outcomes, and monetization.
Enlarge / The evolution of Octo Tempest’s concentrating on, actions, outcomes, and monetization.

Microsoft

“In current campaigns, we noticed Octo Tempest leverage a various array of TTPs to navigate advanced hybrid environments, exfiltrate delicate knowledge, and encrypt knowledge,” Microsoft wrote. “Octo Tempest leverages tradecraft that many organizations don’t have of their typical risk fashions, reminiscent of SMS phishing, SIM swapping, and superior social engineering strategies.”

The researchers continued:

Octo Tempest generally launches social engineering assaults concentrating on technical directors, reminiscent of help and assist desk personnel, who’ve permissions that would allow the risk actor to achieve preliminary entry to accounts. The risk actor performs analysis on the group and identifies targets to successfully impersonate victims, mimicking idiolect on telephone calls and understanding private identifiable info to trick technical directors into performing password resets and resetting multifactor authentication (MFA) strategies. Octo Tempest has additionally been noticed impersonating newly employed staff in these makes an attempt to mix into regular on-hire processes.

Octo Tempest primarily positive aspects preliminary entry to a corporation utilizing one in every of a number of strategies:

  • Social engineering
    • Calling an worker and socially engineering the consumer to both:
      • Set up a Distant Monitoring and Administration (RMM) utility
      • Navigate to a website configured with a pretend login portal utilizing an adversary-in-the-middle toolkit
      • Take away their FIDO2 token
    • Calling a corporation’s assist desk and socially engineering the assistance desk to reset the consumer’s password and/or change/add a multi-factor authentication token/issue
  • Buying an worker’s credentials and/or session token(s) on a prison underground market
  • SMS phishing worker telephone numbers with a hyperlink to a website configured with a pretend login portal utilizing an adversary-in-the-middle toolkit
  • Utilizing the worker’s pre-existing entry to cellular telecommunications and enterprise course of outsourcing organizations to provoke a SIM swap or to arrange name quantity forwarding on an worker’s telephone quantity. Octo Tempest will provoke a self-service password reset of the consumer’s account as soon as they’ve gained management of the worker’s telephone quantity.

Extra tradecraft contains:

  • PingCastle and ADRecon to carry out reconnaissance of Lively Listing
  • Superior IP Scanner to probe sufferer networks
  • Govmomi Go library to enumerate vCenter APIs
  • PureStorage FlashArray PowerShell module to enumerate storage arrays
  • AAD bulk downloads of customers, teams, and units.

Octo Tempest techniques, tactics and procedures.
Enlarge / Octo Tempest strategies, techniques and procedures.

Microsoft

Microsoft’s submit incorporates varied different particulars, together with defenses organizations can undertake to repel the assaults. Defenses embody utilizing out-of-band communications when interacting with co-workers, educating staff, and implementing FIDO-compliant multifactor authentication.

[ad_2]

Leave a comment