The hackers behind the ransomware attack that crippled MGM Resorts operations are “one of the most dangerous financial crime groups” currently operating, Microsoft researchers said Wednesday.
In a Blogresearchers explained the tactics used by Octo Tempest, a group also known as Spider scattered, 0ktapus Or UNC3944.
The group has been in the spotlight since its attack on MGM Resorts paralyzed parts of Las Vegas for days and cost the casino giant around $100 million. The situation became so dire that federal authorities and the White House became involved in recovery efforts.
Microsoft echoed the findings of other researchers, describing how Octo Tempest evolved from prolific attackers using social engineering and SIM swapping to today. deploy AlphV/Black Cat ransomware.
Researchers have also documented the group’s cruelty during their attacks. Hackers sent threatening text messages to employees of an unnamed company, claiming they would share information that could result in an employee being fired. They also said they would send someone to the person’s home with a gun. In other messages, the hackers threatened to send shooters who would attack the employee and his wife.
“In rare cases, Octo Tempest uses scare tactics, targeting specific individuals through phone calls and text messages. These actors use personal information, such as home addresses and last names, as well as physical threats to coerce victims into sharing their credentials to gain access to the company,” Microsoft explained.
ALPHV union
As a native English speaker, the group’s ability to deploy adversary in the middle (AiTM), social engineering, and SIM swapping tactics sets it apart from many other hacker gangs.
Microsoft said the group was initially seen in early 2022 attacking mobile telecommunications and business process outsourcing organizations to launch SIM swaps.
They were able to monetize these attacks by selling their SIM card swaps to other hackers and launching account takeover attacks targeting wealthy cryptocurrency owners.
“Between late 2022 and early 2023, Octo Tempest expanded its targeting to include cable, email, and technology organizations,” Microsoft said.
“During this period, Octo Tempest began monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and, in some cases, even using physical threats.”
By the middle of this year, the group had become a subsidiary of the ALPHV/Black Cat ransomware gang, responsible for some of the most devastating attacks ever recorded.
Initially, Octo Tempest did not use ALPHV ransomware in attacks, only extorting victims with stolen data posted on the ALPHV leak site, but in June it began deploying it .
According to Microsoft, the union between Octo Tempest and ALPHV was a first because Eastern European ransomware gangs generally refuse to do business with English-speaking cybercriminals.
The industries they target have also grown and now include natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, legal, technology and financial services.
Help desk scams
Part of the group’s success is based on attacks that organizations typically don’t anticipate, according to Microsoft.
“The well-organized and prolific nature of Octo Tempest’s attacks is indicative of great technical depth and several handy keyboard operators,” the researchers said.
“Octo Tempest typically launches social engineering attacks targeting technical administrators, such as support and help desk staff, who have permissions that could allow the threat actor to gain initial access to accounts.”
Hackers research the organizations they attack and identify key targets that can be spoofed into phone calls to IT help desks.
Using their personal information, they are able to appear like employees and convince administrators to reset passwords or multi-factor authentication (MFA) methods.
In some cases, hackers posed as new employees, meddling in the onboarding process.
According to Microsoft, the group gets its first access via several methods:
- Social engineering: They call an employee posing as a fake IT specialist and have him install remote monitoring and management tools. From there, they ask an employee to enter their credentials into a fake login portal.
- Help desk scams: They call an organization’s help desk and ask IT to reset an employee’s password or change a multi-factor authentication token/factor.
- Purchase ID: They simply buy an employee’s credentials on underground markets
- Text: They send employees a phishing link via SMS with a fake login portal
- SIM card exchange: By taking an employee’s phone number, they can initiate a password reset and change it however the hackers want.
The group was seen conducting extensive research on victims before launching attacks, enumerating networks so that once access was gained, they could quickly export important data and user information.
“Octo Tempest uses an advanced social engineering strategy for privilege escalation, exploiting stolen password policy procedures, mass export downloads of users, groups and roles, and their familiarity with the procedures of the target organizations,” they said.
“Actor privilege escalation tactics often rely on establishing trust through various means, such as exploiting compromised accounts and demonstrating an understanding of the organization’s procedures. In some cases, they go so far as to bypass password reset procedures by using a compromised manager’s account to approve their requests.
Microsoft has observed cases where hackers disable security products after compromising security personnel’s accounts.
They even changed security personnel’s mailbox rules “to automatically delete emails from vendors that might arouse the target’s suspicion of their activities.”
Octo Tempest typically maintains control of its access to victims’ networks by leveraging login tools such as AADInternals and Okta.
The gang used a variety of methods to monetize their attacks, including stealing cryptocurrency, selling stolen data, extorting victims, and using ransomware.
Microsoft’s report adds to a body of research on the group since its attack on MGM Resorts caused significant problems for several hotels in Las Vegas.
In a report released last month, security experts from cybersecurity firm and Google subsidiary Mandiant shed light on the group’s evolution from relatively aimless — but high-profile — data theft incidents on from large technology companies to sophisticated ransomware attacks across a wide range of industries.
He first made a name for himself with several high-profile attacks, including one against Coinbase in February.
A report of cybersecurity firm Group-IB, said a recent phishing campaign by the group resulted in the compromise of nearly 10,000 accounts from more than 136 organizations, including Riot games And Reddit.
Future saved
Intelligence cloud.
No previous articles
No new articles
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.