Microsoft Warns of Scattered Spiders from SIM Swaps to Ransomware

Oct 26, 2023NewsroomCyber ​​Threat / Social Engineering

SIM Swaps with Ransomware

The prolific threat actor known as Scattered Spider observed impersonating newly hired employees of targeted companies as a ploy to mix up normal hiring processes and acquire accounts and breach organizations worldwide.

Microsoft, which disclosed the activities of the financial hacking crew, described the enemy as “one of the most dangerous financial criminal groups,” calling its operational fluidity and its ability to include SMS phishing, SIM swapping, and help desk fraud into his attack model.

“Octo Tempest is a financially motivated collective of native English-speaking threat actors known to launch extensive campaigns that prominently feature adversary-in-the-middle (AiTM) techniques , social engineering, and SIM purchasing capabilities,” the company said. SAYS.

It’s worth noting that the activity represented by Octo Tempest has been tracked by other cybersecurity companies under various monikers, including 0ktapus, Scatter Swine, and UNC3944, which has repeatedly singled out Okta for obtaining high permissions and infiltrating target networks.


One of the key features is targeting support and help desk staff through social engineering attacks to gain initial access to privileged accounts, tricking them into making -victim password reset and multi-factor authentication (MFA) methods.

Other methods include buying credentials and/or employee sessions in a criminal underground market, or calling the individual directly and socially engineering the user to install a Remote Monitoring and Management (RMM) utility, visit a fake login portal using an AiTM phishing toolkitor get their FIDO2 token.

Initial attacks mounted by the group targeted mobile telecommunication providers and business process outsourcing (BPO) organizations to initiate SIM swaps, before graduating to monetizing access to selling SIM swaps to other criminals and doing account takeovers of high-net-worth individuals for cryptocurrency theft. .

SIM Swaps with Ransomware

Octo Tempest has since diversified its target to include email and tech service providers, gaming, hospitality, retail, managed service providers (MSPs), manufacturing, technology, and financial sectors, while simultaneously emerging as a affiliate for the BlackCat ransomware gang in mid- 2023 to extort victims.

Differently, the end goal of the attacks varies between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

SIM Swaps with Ransomware

“In late 2022 to early 2023, (…) Octo Tempest began monetizing intrusions by extorting victim organizations for data stolen during their operations in intrusion and in some cases even the use of physical threats,” said Microsoft.

“In rare instances, Octo Tempest uses scare tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to force victims to share credentials for corporate access.”


A successful foothold is followed by attackers who carry out environmental reconnaissance and privilege escalation, the latter is accomplished through stolen password policy methods, multiple user downloads, groups, and paper exports.

Another notable tradecraft is the use of compromised security personnel accounts within the victim’s organizations to compromise existing security products in an attempt to fly under the radar, in addition to tampering with security staff mailbox rules. to automatically delete emails from vendors.

The vast arsenal of tools and tactics used by Octo Tempest, including enrolling actor-controlled devices in device management software to bypass controls and replay harvested tokens with Satisfied acquisition of the MFA to bypass the MFA, indicating its many technical skills and the ability to navigate the complex. hybrid environment, Redmond said.

“A unique technique used by Octo Tempest is to compromise VMware ESXi infrastructure, install the open-source Linux backdoor Bedevil, and then launch VMware Python scripts to run arbitrary commands against virtual machines that are set up,” the company added.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment