#NSBCS.002 – Octo Tempest - Extortion, Encryption, and Destruction

Cyber Threat Intelligence
Written By Shane Bell
#NSBCS.002 – Octo Tempest - Extortion, Encryption, and Destruction
 

Octo Tempest - Extortion, Encryption, and Destruction

Octo Tempest is a financially motivated threat actor that has been active since early 2022. They are known for their use of social engineering techniques to gain access to victim networks, as well as their willingness to use threats and violence to extort victims. In recent months, Octo Tempest has become increasingly aggressive in their attacks. They have also expanded their targeting scope to include a wider range of industries including healthcare, education and government.

In June 2023, Octo Tempest became an affiliate of the ALPHV/BlackCat ransomware-as-a-service (RaaS) operation. This partnership has given Octo Tempest access to a more sophisticated ransomware payload, which they have used to encrypt data on victim networks and demand ransoms. In October 2023, Microsoft published a blog post warning organisations about the threat posed by Octo Tempest. The blog post detailed the group's tactics, techniques, and procedures (TTPs), and provided recommendations for how to defend against their attacks.

The evolution of Octo Tempest’s targeting, actions, outcomes and monetization (click to zoom)

 

Key Takeaways:

  • Octo Tempest utilise a variety of social engineering techniques to gain access into victim networks including phishing emails, malicious attachments and fake websites.

  • Once Octo Tempest gain access into a victim network, the threat actors will move laterally to identify and steal sensitive data.

  • Octo Tempest will then encrypt the stolen data and demand a ransom payment in exchange for the decryption key.

  • Octo Tempest is known to be very aggressive in their extortion tactics and they have threatened to release stolen data or disrupt victim operations if their ransom demands are not met.

  • Organisations should be aware of the threat that Octo Tempest possess, due to their sophistication and wide range of capabilities in their tactics, techniques, and procedures (TTPs).

Recommendations:

1. Organisations should educate employees about social engineering techniques and how to identify and avoid them.

2. Implementing strong security controls such as multi-factor authentication and email filtering, will effectively aid organisations to protect against unauthorised access to networks and systems.

3. Companies should prioritise regularly backing up important data and storing the backups offline or in a cloud-based service.

4. Organisations should have plans in place for ransomware attacks, acting as an effective proactive measure against the actions of threat actors. This plan should include procedures for isolating infected systems, restoring data from backups, and negotiating with attackers (if necessary).

For more information on how to build and maintain Cyber Resilience in your organisation and defend with confidence against the potential for cyber-attacks, click here.

What we read this week:

  • North Korean Hackers Target Crypto Experts with KANDYKORN macOS Malware - North Korean hackers are targeting cryptocurrency experts with a new macOS malware called KANDYKORN. The attackers are impersonating blockchain engineers on Discord and using social engineering tactics to trick victims into downloading and executing a ZIP archive containing malicious code.

  • US Energy Firm Targeted with Malicious QR Codes in Mass Phishing Attack - A US energy firm was targeted with a mass phishing attack that used malicious QR codes to deliver a remote access trojan (RAT) to victims. The attackers sent emails to employees with a link to a website that contained a QR code. When employees scanned the QR code, they were taken to a malicious website that downloaded and installed the RAT on their devices.

  • Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws - Apple, Google, and Microsoft have released security updates for their respective operating systems and other software products to patch a number of critical vulnerabilities. The vulnerabilities could allow attackers to execute arbitrary code, take control of affected systems, or steal sensitive data.

  • Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss - Atlassian is warning users of a new critical vulnerability in Confluence that could allow attackers to execute arbitrary code and take control of affected systems. The vulnerability has been assigned a CVE score of 10.0, indicating that it is one of the most severe vulnerabilities possible.

  • Hackers use Citrix Bleed flaw in attacks on govt networks worldwide - Hackers are exploiting a critical vulnerability in Citrix NetScaler appliances to target government networks worldwide. The vulnerability, tracked as CVE-2023-4966, allows attackers to steal sensitive information and move laterally within networks.

References: 
Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction - Microsoft Security Blog 
North Korean Hackers Targeting Crypto Experts with KANDYKORN macOS Malware - thehackernews.com
Major U.S. energy org targeted in QR code phishing attack - bleepingcomputer.com
Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws - WIRED UK 
Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss - thehackernews.com
Hackers use Citrix Bleed flaw in attacks on govt networks worldwide - bleepingcomputer.com
Shane Bell
Previous

#NSBCS.003 – Border (Gateway Protocol) Patrol
Next

#NSBCS.001 – Cybersecurity Awareness Month