Octo Tempest hackers target industries, Microsoft warns

Share post:

Microsoft has disclosed the activities of a prolific financially motivated hacking group known as Octo Tempest, targeting a wide range of industries. These industries include telecommunications, BPO, email, tech services, gaming, hospitality, retail, MSPs, manufacturing, technology, and finance.

Octo Tempest is known for its use of social engineering attacks to gain initial access to privileged accounts, often targeting support and help desk personnel. The group has also been observed purchasing employee credentials and session tokens on the criminal underground market, or calling individuals directly to socially engineer them into performing actions such as installing RMM utilities, visiting fake login portals, or removing their FIDO2 tokens.

Once initial access is gained, Octo Tempest carries out reconnaissance of the environment and performs privilege escalation, often by exploiting stolen password policy procedures or downloading user, group, and role exports. The group has also been observed compromising security personnel accounts to impair the functioning of security products and tamper with security staff mailbox rules to delete emails from vendors.

In addition to its social engineering and privilege escalation techniques, Octo Tempest employs a broad arsenal of tools and tactics, including enrolling actor-controlled devices into device management software to bypass controls and replaying harvested tokens with satisfied MFA claims to bypass MFA.

This demonstrates the group’s extensive technical expertise and its ability to navigate complex hybrid environments. Octo Tempest has also been observed using a unique technique to compromise VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed virtual machines.

Microsoft notes that Octo Tempest has been observed targeting a wide range of victims, including high-net-worth individuals and Fortune 500 companies. The group’s end goals vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

In late 2022 to early 2023, Octo Tempest began monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats. In rare instances, the group has also resorted to fear-mongering tactics, targeting specific individuals through phone calls and texts and using personal information to coerce victims into sharing credentials for corporate access.

The sources for this piece include an article in TheHackerNews.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways