New in Social engineering
Sometimes, not knowing password is the only way not to disclose it.
11/1/20231 min read
Here is what social engineering looks like today. Targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. The threat actor performs research on the organization and identifies targets to effectively impersonate victims, mimicking idiolect on phone calls and understanding personal identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods. Octo Tempest has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes.
Octo Tempest primarily gains initial access to an organization using one of several methods:
Social engineering
Calling an employee and socially engineering the user to either:
Install a Remote Monitoring and Management (RMM) utility
Navigate to a site configured with a fake login portal using an adversary-in-the-middle toolkit
Remove their FIDO2 token
Calling an organization’s help desk and socially engineering the help desk to reset the user’s password and/or change/add a multi-factor authentication token/factor
Purchasing an employee’s credentials and/or session token(s) on a criminal underground market
SMS phishing employee phone numbers with a link to a site configured with a fake login portal using an adversary-in-the-middle toolkit
Using the employee’s pre-existing access to mobile telecommunications and business process outsourcing organizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number. Octo Tempest will initiate a self-service password reset of the user’s account once they have gained control of the employee’s phone number.
In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.