Microsoft: Octo Tempest Is One of the Most Dangerous Financial Hacking Groups

The researchers provide the following additional tools and techniques that Octo Tempest uses in their attacks:

• open-source tools: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway, TightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat • deploying Azure virtual machines to enable remote access via RMM installation or modification to existing resources via Azure serial console • adding MFA methods to existing users • using the tunneling tool Twingate, which leverages Azure Container instances as a private connector (without public network exposure)

They research the company to identify the targets they can impersonate to the level of mimicking the speech patterns of the individual in phone calls.

By doing so, they trick technical administrators into performing password resets and reset multi-factor authentication (MFA) methods.

Other methods for initial access include:

• tricking the target into installing remote monitoring and management software • stealing the logins through phishing sites • buying credentials or session tokens from other cybercriminals • SMS phishing employees with links to fake login portals that capture the credentials • SIM-swapping or call forwarding • Direct threats of violence

They use tools like Jercretz and TruffleHog to automate the search for plaintext keys, secrets, and passwords across code repositories.