Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
CISA and FBI released a cybersecurity advisory on Scattered Spider, a cybercriminal group targeting commercial facilities sectors and subsectors. The advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs. Link:https://www.cisa.gov/news-events/alerts/2023/11/16/fbi-and-cisa-release-advisory-scattered-spider-group
Microsoft published a new blog with an analysis of the TTPs of the Octo Tempest group (also known as 0ktapus or Scattered Spider), a financially motivated threat actor that relies heavily on #socialengineering for initial access.
This group is reportedly the one behind the Okta, MGM Resorts & Caesars this year, as well as the MailChimp & Twilio attacks last year.
"Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. The threat actor performs research on the organization & identifies targets to effectively impersonate victims, mimicking idiolect on phone calls & understanding personal identifiable information to trick technical administrators into performing password resets & resetting MFA"
"Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques."
In reality, most organizations don't have a social engineering security protocol for most types of social engineering attacks beyond #phishing and some vishing attacks/tactics. There is a lot of work to be done...
The hackers who allegedly breached the security at #MGM’s casinos this month originally planned to manipulate the software running the slot machines, and “recruit mules to gamble and milk the machines”. #ScatteredSpider