Microsoft says Octo Tempest is ready to attack servers with new weapons

The best defense: keep your servers updated.

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Microsoft Octo Tempest

In today’s world, where the dangers of cyber attacks are growing, Microsoft has warned about a very risky cybercrime group called Octo Tempest. This group is known for its complex assaults on VMWare ESXi servers, and according to an X thread, it has now added two fresh ransomware payloads: RansomHub and Qilin. These occurrences indicate a major increase in the field of cybercrime, presenting an increased danger to organizations all over the globe.

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns.

Microsoft

The organization is not new. Microsoft made Octo Tempest public in October 2023, and its members aren’t just your average hackers—its members boast an impressive skill set that includes high-level social engineering techniques, identity compromise strategies, and unwavering persistence in their attacks. First, they used BlackCat ransomware. However, as BlackCat is no longer active, they have switched to RansomHub and Qilin, which is a big change in how they carry out cyber extortion.

The switch to this fresh ransomware tool happened because Octo Tempest broke into Change Healthcare through an affiliate, getting a payment of $22 million. But unexpectedly, the people who maintain BlackCat took control of the ransom and disappeared into internet spaces without leaving any trace behind them – only chaos and gigabytes full of sensitive information were left as evidence of their actions. This event caused the birth of RansomHub, which later became known for being involved in serious attacks against well-known places such as Christie’s, Rite Aid, and NRS Healthcare.

The way it’s used is especially concerning. RansomHub is frequently deployed during post-compromise situations, usually arranged by Manatee Tempest after Mustard Tempest acquires initial access through FakeUpdates/Socgholish infections. This multi-layered attack approach highlights the complex and organized actions of Octo Tempest.

Now, what can organizations do to protect themselves from these changing threats? Microsoft provides basic yet important guidance: keep systems updated and patched to block vulnerabilities, establish strong access controls, teach workers about the risks of phishing and social engineering, and ensure complete security solutions in place that can discover and stop attacks before they cause harm. Also, keeping regular data backups in safe places is vital for recovering from a ransomware attack.

The cyber threat environment is always changing; lately, it has adopted AI to strengthen its attacks. Octo Tempest represents a new wave of cybercrime that keeps pushing the limits. More than ever, it’s crucial to be aware and take action with cybersecurity methods to protect against these constantly changing risks.

More about the topics: microsoft, security

User forum

0 messages