Microsoft dissects Octo Tempest

Microsoft’s MSIRT team is coming up with a warning that the hacking group that attacked MGM Resorts International. and Caesars Entertainment last month is one of the most dangerous financial criminal groups.

Microsoft tracks the group as Octo Tempest but also known as Scattered Spider and UNC3944. Octo Tempest first became active in early 2022 and uses extensive social engineering methods to target organizations worldwide, aiming for financial extortion.

Active since 2022, Octo Tempest joined forces with the BlackCat ransomware as a service operation and began extorting victims using the ALPHV Collections leak site without deploying ransomware

The relationship then extended to the group deploying BlackCat ransomware, primarily targeting VMWare ESXi servers. Due to this reason, the early reports on the MGM hack had the attack linked to ALPHV: Scattered Spider had deployed BlackCat ransomware in the attack.

Octo Templest impersonates victims, often mimicking their speech patterns or pretending to be newly hired employees. Their main methods for initial access include social engineering calls, purchasing employee credentials on the black market, SMS phishing and initiating SIM swaps, or setting up call forwarding on an employee’s phone. In some cases, they use intimidation by sending threats to specific individuals.

In the initial stage of their attacks, Octo Tempest undertakes extensive research, looking for data related to network infrastructure, password policies and more. They also explore cloud environments and other platforms. The group elevates their privileges through methods like initiating SIM swaps, social engineering and using stolen organizational procedures. Octo Tempest continually seeks to gather more credentials using open-source tools to identify keys and secrets.

To avoid detection, the group also compromises security personnel accounts within victim organizations to turn off security products and features. Using compromised accounts, the threat actor leverages endpoint detection and response and device management technologies to allow malicious tooling, deploy remote monitoring and management software, remove or impair security products, data theft of sensitive files and deploy malicious payloads.

Beyond their technical abilities, their alignment with the formidable BlackCat ransomware group amplifies their threat manifold. The real concern emerges when one realizes they’ve diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.