Microsoft Issues Warning as Scattered Spider Transitions from SIM Swaps to Ransomware

The prolific threat group known as Scattered Spider has expanded its tactics from SIM swaps to ransomware attacks, with a new strategy of impersonating recently hired employees within targeted organizations.

Microsoft, which revealed the activities of this financially motivated hacking crew, labeled them as “one of the most dangerous financial criminal groups,” citing their operational adaptability and their integration of SMS phishing, SIM swapping, and help desk fraud in their attack methodology.

This adversary, referred to as “Octo Tempest,” is a collective of native English-speaking threat actors recognized for their extensive campaigns featuring adversary-in-the-middle (AiTM) tactics, social engineering, and SIM swapping capabilities.

Various cybersecurity firms track this group under different names, including 0ktapus, Scatter Swine, and UNC3944, which has repeatedly singled out Okta to obtain elevated permissions and infiltrate targeted networks. Octo Tempest’s hallmark involves targeting support and help desk personnel through social engineering attacks to gain initial access to privileged accounts.

They trick these employees into resetting the victim’s password and multi-factor authentication (MFA) methods. Other methods include purchasing employee credentials and session tokens on the black market, direct phone calls to manipulate users into installing Remote Monitoring and Management (RMM) utilities or visiting fake login portals via an AiTM phishing toolkit, and persuading them to remove their FIDO2 tokens.

Initially, the group focused on mobile telecommunications providers and business process outsourcing (BPO) firms to initiate SIM swaps. Subsequently, they expanded to selling SIM swaps and executing account takeovers of high-net-worth individuals for cryptocurrency theft. In mid-2023, Octo Tempest also formed an affiliation with the BlackCat ransomware gang to extort victims.

Their attacks now target email and tech service providers, gaming, hospitality, retail, managed service providers (MSPs), manufacturing, technology, and financial sectors. Their end goals range from cryptocurrency theft to data exfiltration for extortion and deploying ransomware.

Once they gain a foothold, the attackers conduct reconnaissance and privilege escalation, often relying on stolen password policy procedures and bulk downloads of user, group, and role exports. They also utilize compromised security personnel accounts within victim organizations to disrupt security products and tamper with mailbox rules, automatically deleting emails from vendors.

Octo Tempest employs a wide range of tools and tactics, including enrolling actor-controlled devices into device management software to bypass controls and replaying harvested tokens with valid MFA claims to circumvent multi-factor authentication.

Furthermore, a unique technique they employ is compromising VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and launching VMware Python scripts to execute arbitrary commands on housed virtual machines.

To prevent such attacks, organizations should prioritize security awareness training for employees to recognize social engineering attempts and invest in robust security measures, including strong authentication and monitoring to detect unusual activities early. Additionally, businesses should consider implementing security policies to safeguard privileged accounts and prevent tampering with mailbox rules.