Microsoft has recently observed the threat group Octo Tempest, also known as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, targeting the airline sector, marking a shift from its earlier activity between April and July this year that focused on retail, food service, hospitality, and insurance organizations. The behavior is consistent with the group’s pattern of concentrating on a specific industry for an extended period before pivoting to new targets. Microsoft Security is actively updating its protection coverage in response to these evolving tactics.
The financially motivated cybercriminal group has been observed impacting organizations using varying methods in their end-to-end attacks. Their approach includes gaining initial access using social engineering attacks and impersonating a user, and contacting service desk support through phone calls, emails, and messages. It also uses Short Message Service (SMS)-based phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations, using tools such as ngrok, Chisel, and AADInternals, and impacting hybrid identity infrastructures and exfiltrating data to support extortion or ransomware operations.
“Recent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMware ESX hypervisor environments,” the Microsoft Defender Security Research Team wrote in a blog post last week. “In contrast to previous patterns where Octo Tempest used cloud identity privileges for on-premises access, recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access.”
Based on previous learnings from popular Octo Tempest techniques, the post noted that attack disruption will automatically disable the user account used by Octo Tempest and revoke all existing active sessions by the compromised user. “While attack disruption can contain the attack by cutting off the attacker, it is critical for security operations center (SOC) teams to conduct incident response activities and post-incident analysis to help ensure the threat is fully contained and remediated.”
Octo Tempest is infamously known for aggressive social engineering tactics, often impacting individuals with specific permissions to gain legitimate access and move laterally through networks. “Using advanced hunting and the Exposure Graph, defenders can proactively assess and hunt for the threat actor’s related activity and identify which users are most likely to be targeted and what will be the effect of a compromise, strengthening defenses before an attack occurs.”
The hackers are also known for tactics like extracting credentials from Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz and signing in from attacker-controlled IPs, both of which can be mitigated through controls like attack surface reduction (ASR) rules and sign-in policies. This initiative brings these mitigations together into a focused program, mapping real-world attacker behaviors to actionable controls that help reduce exposure and disrupt attack paths before they escalate.
A broader initiative focused on reducing exposure to extortion-driven attacks through hardening identity, endpoint, and infrastructure layers, providing recommendations tailored for the organization.
Security teams can use attack path analysis to trace cross-domain threats, like those used by Octo Tempest, who’ve exploited the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard to highlight entities appearing in multiple paths, making it easy to filter for helpdesk-linked accounts, a known Octo target, and prioritize their remediation.
The researchers advised following security best practices that help shrink attack surface and blunt the impact of threat actors like Octo Tempest. Some of the recommendations include strengthening defenses and staying ahead of evolving threats, across identity security, endpoint security and cloud security.
To bolster identity security, Microsoft outlined enabling multifactor authentication (MFA) for users, and using phishing-resistant methods that help add a second layer of protection if one factor is compromised; turning on sign-in risk policies that automatically challenge or block risky sign-in attempts; requiring phishing-resistant MFA for administrators to harden access to high-value accounts; and audit and minimize overprovisioned Azure identities by only assigning the permissions necessary for each role.
For endpoint security, the researchers suggest enabling cloud-delivered protection and real-time protection; turning on Endpoint Detection and Response (EDR) in block mode, to block malicious activity after a breach using behavior-based detection; enable tamper protection; block credential theft from the Local Security Authority (LSA) to stop common techniques used in credential theft; and isolating sensitive secrets so only trusted system processes can access them.
To strengthen cloud security, Microsoft recommends enabling purge protection to prevent the immediate and permanent deletion of secrets and vaults; utilizing Just-In-Time (JIT) access for virtual machines; locking down exposed management ports and limiting access windows; and encrypting data with customer-managed keys (CMKs). It also calls for enabling logging in Azure Key Vault and retaining logs for at least one year to create an audit trail for incident response; and turning on Azure Backup for virtual machines to protect data with geo-redundant recovery points in case of ransomware or system failure.
Earlier this month, the FBI reported that Scattered Spider has widened its focus to include the airline sector. The group continues to rely on social engineering, often posing as employees or contractors to trick IT help desks into handing over access.
