A financially motivated hacking group known as Octo Tempest has recently gained notoriety for their aggressive attacks, leading Microsoft to label them as “one of the most dangerous financial criminal groups.” This group, also known as UNC3944 and 0ktapus, became an affiliate of the Russian-speaking ransomware group BlackCat a few months ago, a collaboration that is rare in the cybercriminal world. Traditionally, Eastern European ransomware groups have refused to do business with native English-speaking criminals.

Octo Tempest’s attacks are well-organized and highly prolific, indicating a high level of technical expertise and multiple individuals working together. The group first caught the attention of cyber defenders in early 2022 when they targeted mobile telecommunications and business process outsourcing organizations for SIM swaps. In September of that year, their ransomware attacks on Las Vegas casinos were traced back to Octo Tempest.

This hacking group has also been responsible for a large-scale campaign that compromised over 130 organizations in 2022, including prominent companies like Twilio and Mailchimp. In June, Octo Tempest began deploying ransomware payloads developed by BlackCat for Windows and Linux systems. More recently, they have shifted their focus to VMWare ESXi servers.

Originally, Octo Tempest targeted cable telecommunications, email, and technology organizations. However, the group has now expanded its scope to include a wide range of industries such as natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. This broader targeting strategy reflects their increasing ambitions and desire for financial gain.

To gain initial access to an organization, Octo Tempest employs social engineering tactics that target support and help desk personnel. They conduct research on the organization and impersonate victims, using knowledge of the organization’s operations and personally identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication methods. The group also takes advantage of various methods to gain entry, such as installing remote monitoring and management utilities, setting up fake login portals, and purchasing employees’ credentials on the black market.

Once inside the targeted network, Octo Tempest conducts extensive reconnaissance and information gathering to expand its access and identify valuable resources. They explore virtual desktop infrastructure, enterprise-hosted resources, and multi-cloud environments to gather information on network architecture, employee onboarding, remote access methods, password policies, and credential vaults. This information allows them to plan their next moves, which can include cryptocurrency theft, data exfiltration for extortion, or the deployment of ransomware.

In terms of data exfiltration, Octo Tempest accesses data from various sources using legitimate management clients and file-hosting services. They make use of platforms like Azure Data Factory and automated pipelines to extract data and transfer it to external servers. This technique helps them blend in with typical big data operations and makes it more difficult for their activities to be detected.

Overall, Octo Tempest poses a significant threat to organizations across a wide range of industries. Their sophisticated tactics, extensive technical knowledge, and collaboration with other cybercriminal groups make them a force to be reckoned with. Organizations must remain vigilant and take all necessary precautions to protect themselves from this dangerous hacking group.

Source link