Octo Tempest: extortion through phishing, SIM swapping and ransomware
Microsoft has monitored the actions of a group named Octo Tempest (identified by Crowdstrike as Scattered Spider and my Mandiant as UNC3944), which has targeted multiple firms to extort money. The cybercriminals, linked to the BlackCat group (ALPHV), use a range of methods to gain entry to networks and plant malicious software.
Octo Tempest generally relies on social engineering for corporate account access credentials. After making contact with an employee, particularly IT administrators, cybercriminals make requests for password changes or installation of remote access tools. Alternatively, they may have procured credentials from the dark web, sent text message links to phishing sites or conducted SIM swapping attacks.
Upon gaining entry, Octo Tempest commences the collection of information pertaining to corporate resources, including users, groups, devices, network architecture, backup systems, code repositories, cloud environments and servers amongst others. The attackers proceed by utilising different tools to increase privileges and obtain administrator permissions. They bypass security measures by disabling solutions and obstructing notifications related to changes. Persistence is maintained through manipulation of existing accounts or the installation of backdoors.
The final step consists of data theft and double extortion, in which BlackCat ransomware is installed, and ransom is demanded to avoid information disclosure. In some instances, cryptocurrency theft may also occur.
MITRE ATT&CK
| STAGE | Tactic ID | Technique Name |
|---|---|---|
| INITIAL ACCESS | TA0003 | Social Engineering |
| TA0006 | Masquerading and Impersonation | |
| DISCOVERY | TA0010 | Enumerating Internal Documentation |
| TA0016 | Continuing Environmental Reconnaissance | |
| CREDENTIAL ACCESS, LATERAL MOVEMENT | TA0008 | Identifying Tier-0 Assets |
| TA0011 | Accessing Enterprise Environments via VPN | |
| TA0012 | Collecting Additional Credentials | |
| DEFENSE EVASION, EXECUTION | TA0015 | Leveraging EDR and Management Tooling |
| TA0018 | Circumventing Conditional Access | |
| PERSISTENCE | TA0014 | Installing a Trusted Backdoor |
| TA0021 | Manipulating Existing Accounts | |
| TA0040 | Establishing Access to Resources | |
| ACTIONS ON OBJECTIVES | TA0013 | Staging and Exfiltrating Stolen Data |
| TA0031 | Deploying BlackCat Ransomware |
Indicators of Compromise
| IP/HASH |
|---|
| 45.132.227.213 |
| 144.76.136.153 |
| 119.93.5.239 |
| 146.70.103.228 |
| 159.223.213.174 |
| 169.150.203.51 |
| 185.195.19.206 |
| 198.54.133.45 |
| 198.54.133.52 |
| 217.138.198.196 |
| 217.138.222.94 |
| 45.134.140.177 |
| 45.86.200.81 |
| 45.91.21.61 |
| 89.46.114.66 |
| 18.206.107.24/29 |
| 1e5ad5c2ffffac9d3ab7d179566a7844 |
| 56fd7145224989b92494a32e8fc6f6b6 |
| 6639433341fd787762826b2f5a9cb202 |
| 828699b4133acb69d34216dcd0a8376e |
| 0272b018518fef86767b01a73213716708acbb80 |
| 10b9da621a7f38a02fea26256db60364d600df85 |
| d8cb0d5bbeb20e08df8d2e75d7f4e326961f1bf5 |
| ec37d483c3c880fadc8d048c05777a91654e41d3 |
| 3ea2d190879c8933363b222c686009b81ba8af9eb6ae3696d2f420e187467f08 |
| 4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93 |
| 443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58 |
| 53b7d5769d87ce6946efcba00805ddce65714a0d8045aeee532db4542c958b9f |
| 982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e |
| acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918 |
| cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005 |
| 100.35.70.106 |
| 136.144.19.51 |
| 136.144.43.81 |
| 142.93.229.86 |
| 143.244.214.243 |
| 146.70.107.71 |
| 146.70.112.126 |
| 146.70.127.42 |
| 146.70.45.166 |
| 146.70.45.182 |
| 152.89.196.111 |
| 162.118.200.173 |
| 172.98.33.195 |
| 173.239.204.129 |
| 173.239.204.130 |
| 173.239.204.131 |
| 173.239.204.132 |
| 173.239.204.133 |
| 173.239.204.134 |
| 180.190.113.87 |
| 185.120.144.101 |
| 185.123.143.197 |
| 185.123.143.201 |
| 185.123.143.205 |
| 185.123.143.217 |
| 185.156.46.141 |
| 185.163.109.66 |
| 185.181.102.18 |
| 185.195.19.207 |
| 185.202.220.239 |
| 185.202.220.65 |
| 185.240.244.3 |
| 185.247.70.229 |
| 185.45.15.217 |
| 185.56.80.28 |
| 188.166.101.65 |
| 188.166.117.31 |
| 188.214.129.7 |
| 192.166.244.248 |
| 193.27.13.184 |
| 193.37.255.114 |
| 194.37.96.188 |
| 195.206.105.118 |
| 198.44.136.180 |
| 23.106.248.251 |
| 31.222.238.70 |
| 37.19.200.142 |
| 37.19.200.151 |
| 37.19.200.155 |
| 45.132.227.211 |
| 45.134.140.171 |
| 5.182.37.59 |
| 51.210.161.12 |
| 51.89.138.221 |
| 62.182.98.170 |
| 64.190.113.28 |
| 67.43.235.122 |
| 68.235.43.20 |
| 68.235.43.21 |
| 82.180.146.31 |
| 89.46.114.164 |
| 91.242.237.100 |
| 93.115.7.238 |
| 98.100.141.70 |
| 2a01:4f8:200:1097::2 |
| 45.132.227.211 |