October 27, 2023

Microsoft has disclosed the activities of a prolific financially motivated hacking group known as Octo Tempest, targeting a wide range of industries. These industries include telecommunications, BPO, email, tech services, gaming, hospitality, retail, MSPs, manufacturing, technology, and finance.

Octo Tempest is known for its use of social engineering attacks to gain initial access to privileged accounts, often targeting support and help desk personnel. The group has also been observed purchasing employee credentials and session tokens on the criminal underground market, or calling individuals directly to socially engineer them into performing actions such as installing RMM utilities, visiting fake login portals, or removing their FIDO2 tokens.

Once initial access is gained, Octo Tempest carries out reconnaissance of the environment and performs privilege escalation, often by exploiting stolen password policy procedures or downloading user, group, and role exports. The group has also been observed compromising security personnel accounts to impair the functioning of security products and tamper with security staff mailbox rules to delete emails from vendors.

In addition to its social engineering and privilege escalation techniques, Octo Tempest employs a broad arsenal of tools and tactics, including enrolling actor-controlled devices into device management software to bypass controls and replaying harvested tokens with satisfied MFA claims to bypass MFA.

This demonstrates the group’s extensive technical expertise and its ability to navigate complex hybrid environments. Octo Tempest has also been observed using a unique technique to compromise VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed virtual machines.

Microsoft notes that Octo Tempest has been observed targeting a wide range of victims, including high-net-worth individuals and Fortune 500 companies. The group’s end goals vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

In late 2022 to early 2023, Octo Tempest began monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats. In rare instances, the group has also resorted to fear-mongering tactics, targeting specific individuals through phone calls and texts and using personal information to coerce victims into sharing credentials for corporate access.

The sources for this piece include an article in TheHackerNews.