A Threat Analysis of 0ktapus SMS Phishing Campaigns

all right so yeah thanks everyone for coming this is uh my talk they can't keep getting away with it and I'm going to be doing a bit of a threat analysis on the octopus slash scattered spider campaigns which probably some of you have heard of um but you know we're going to be diving into more about that so a bit a little bit about me who am I I'm a CTO researcher for four years I've been working for uh various I've been working for a UK CTI company and then I moved to go work for a company called equinix which is the world's digital infrastructure company um there's a kind of inside Jokers you know we're the biggest company you've never heard of we have 240 data centers around the world and you know every time you use the internet your traffic's going through our exchanges pretty much uh I'm also a co-author of sans 4589 cyber crime intelligence course is currently under development and will be available by uh next uh probably around this time next year probably and I'm also the co-founder of the curated intelligence trust group as well uh probably a group of about 160 uh CTI analysts around the world and sharing information amongst amongst each other you can find me on the the various websites as well so who is this group that we're talking about who is scattered spider octopus who are these three actors well they're responsible for basically a big branch of breaches uh you know they were they the techniques used that by this group have been used against organizations such as uh twilio HubSpot door Dash OCTA um and then they kind of launched additional cam they're very persistent and constantly launching campaigns uh and they you know they end up stealing all sorts of stuff uh accessing back ends and and credentials and accounts and all these companies keep getting hacked basically so a little bit more about what this campaign is what what's uh what this campaign consists of so they're basically English-speaking cyber criminals they are successfully compromising Fortune 500 companies that spend Millions on cyber security have massive teams and they still keep getting hacked uh they're financially motivated through actors and they mainly Target North North America as well and they've been active pretty much since around 2022 was probably their main year but they're still active now and they launched persistent social engineering campaigns they're targeting the human factor of security or often the weakest link and these guys kind of prove exactly how that works so how do they do it um kind of a brief summary of actually how these campaigns start and kind of how they finish so they or usually often start with an SMS text uh and you know that contains a malicious link the user clicks it they enter their credentials then they provide the actor to fa prompt and then the threat actor logs in with those credentials and performs additional follow-up post compromise tactics and and techniques however if the if the target of the SMS text doesn't immediately enter the credentials the threat actors are known to actually call call that victim pretending to be the company's I.T team and try and guide them into providing them access as well and you know they've been on the phone for up to an hour sometimes trying to convince employees to give them access and once inside you know they move laterally the game game Privileges and established persistence and then they basically they go after data they go after source code they go after cryptocurrency private keys they go after whatever they can they can find valuable and later they either threaten to leak that data or threaten to uh you know sell that data and try to extort the the company that they stole that from and an example here of one of these types of phishing texts this is one that Activision got so they kind of appear to be like a automated SMS message they uh you know they pretend that your employment status is under review and then they're in the domain they kind of have the target companies and the company they're posing as in the domain as well and then you know the the victim basically will go to that site on as you can see on the left this is sort of what it looks like they enter they're using a password and then the threat actor enters that username and password on their end then they asked the victim for the 2fa code and then they sort of send another uh you know automated message and then they once they've got it they've automatically entered it and so they're in once they've kind of got an established persistent moved around stolen everything then the victim will sometimes get a ransom note so in this example riot games uh kind of received a long email Ransom note with a telegram link to you know negotiate basically and this Ransom note was quite revealing of more more information about who these threat actors are because it you know it contained things like um you know our you know they say that their sole motivation is financial gain that you know these aren't nation state apt groups doing intelligence operations or anything like that they just want to steal information steal data and Ransom it back to the victim as well and they will also exploit that data as well and then it's kind of the kind of thing the interesting thing from this Ransom note to me was that they also admit that the the victim was attacked by an amateur level attack because it kind of shows more a bit about the the Cyber criminal psyche as well but yeah as you can see here's a Mr Al They asked a 10 million Ransom so we're going to use the you know for as we do as we you know this talk is about doing CTI against the threat actor we're going to be using one of the uh most important intelligence models the diamond model to actually understand more a bit about this adversary we're also going to be using uh the Cyber kill Chain by Lockheed Martin to you know sort of explain how they go from stage one reconnaissance all the way through to their actions on objective and then we're also going to be using the mitro type framework to you know explain a bit more about how they perform each technique so yeah we're going to start with capabilities and you know this kind of I broke this down into kind of five different areas preparation social engineering evading security attacking the cloud as well as exfiltrating data so preparation one of the interesting things about this campaign is they kind of focus on customers of single sign-on provider Solutions so in case you didn't realize your company may be listed as a customer on one of these websites so you know Duo OCTA twilio they all advertise who their customers are so if so if you want to Target a company you just and you want to find out what uh you know what SSO provider they use you just go to their customer testimonials or they advertise their customer list so you can use osin pretty much to yeah find this information very easily and then once they do that they can craft you know uh you know custom phishing page for that organization using their logo the company's logo as well as the SSO providers logo as well they will also use data Brokers to be able to sort of gather information to be able to then exploit and Target those employees and users you know they'll use things like Zoom info D hashed rocket reach um all sorts of all sorts of areas as well you can even use LinkedIn as well if you want um and you can get just from using these few sources you can get someone's you can get who their employees their name phone number email address and potentially the passwords that have already been breached as well social engineering what do these uh what do these threat actors actually what are their primary social engineering kind of methodologies were they SMS phishing is probably one of their calling cards you know if your organization is getting SSO themed text messages trying to steal credentials from your employees uh you know good chance it could be one of these uh one of these three actors and they often use things like schedule changed or employment terminated just to try and really you know entice the user to basically click on that text message because you know if you're working for a company and suddenly you're you're saying that they're saying you're terminated you're going to you know you you filling the pressures on you want to you know quickly find out what's happening there and then again as I mentioned voice calls um and uh you know threatening or bribing people trying to give them into tricking them into giving them access and coinbase recently disclosed like that they were attacked by threat actor of this kind of nature you know they even say uh the attacker claimed to be from coinbase IT team um and they and they were actually able to successfully uh compromise that victim's end point by by uh installing like a remote admin tool and going through the motions on that which I'll dive into more in a bit um the other thing that they do is Sim swapping um maybe in it's Sim swapping has been around for a long time but only recently it's kind of really been used against uh sort of Enterprises such as the ones I've mentioned who have been breached uh so what is a bit more about Sim swapping so since swapping involves tricking a employee's uh tricking the mobile provider of an employee's phone number into transferring that phone number to a SIM card that the threat actor controls so they can do this by basically social engineering the sort of help desk support admin of your mobile service provider into yes giving access taking your phone number and giving it to someone else basically and once they do that then they control your phone number and they can you know basically trigger one-time password codes with password resets and then log into accounts and things unsuccessful Sim swaps you know for years they've resulted in sort of targeting cryptocurrency uh secret life people high net worth individuals with lots of cryptocurrency though those sorts of attacks of those sorts of individuals have often been targeted by Tim swapping but you know more recently they're going after Enterprise accounts with access to more data as well that can sort of assist in those types of campaigns so yes the possession of a phone number can actually be enough to reset other online accounts and passwords and once the victim is compromised the mobile service provider is kind of it's on them it's their fault there isn't really much you can do other than rely on the security and processes of that mobile service provider so a bit more about evading Enterprise security you know they use remote monitoring admin tools or remote remote monitoring and management tools such as any desk TeamViewer I'm sure if any of you guys do uh you know any sort of threat hunting or adversary emulation you're going to be incorporating these types of tools into those campaigns um they also use session hijacking you know basically using uh browser cookies to steal the cookie and then replay it basically a replay attack as well they're using bring your own vulnerable driver attacks to basically disable security tools code signing certificates actually stolen from company so last year I believe Nvidia had a pretty bad breach and all their code signing certificates were stolen and through actors are using those co-signing certificates to sign their malware and then they also using ufci boot UEFI boot kits as well as tunneling tools as well so a bit more about these rmm tools they actually use up to 20 different rmm tools so maybe you're you know maybe you have an alert for unauthorized usage of any desk or TeamViewer in your organization you know if you're doing a lot of threat hunting but you know if those two tools don't work the threats just move on to the next one and to the next one and keep going keep going until they eventually get access and the interesting thing about these rmm tools is that you know your antivirus your EDR is not actually going to flag those as malicious because they're legitimate tools but the threat actors use them for remote access edit this cookie this is kind of an interesting one um it's kind of unique to these three actors as well they actually use a browser extension which can it's basically used for sort of testing in e-commerce websites whether you know a customer has gone to that site uh added something to their basket and whether they can go back and continue to add things they're kind of the same principle works with the multi-factor authentication uh protocols as well and authentication cookies so if you can what the third actor did was they're able to use an rmm tool to connect to someone's device and then steal the MFA token and then we're able to authenticate into other areas as well pivot into internets and things bring your own vulnerable driver this is kind of a it's another interesting technique that these three actors do they the interesting thing about uh byobd is that it's kind of it's been going on for for quite a while but you know it kind of originated in sort of the game hacking game cheating communities you know they were using these to bypass anti-chi or turn off anti-cheat and threat actors realize that they can use that to turn off antivirus and EDR so once they've done that you know they can yeah it's possible to turn off Windows uh you know kernel protections they exploit they basically bring a vulnerable literally bring a vulnerable driver uh you know developed by Intel or something like that has a vulnerability already in it so when they deploy it they can then exploit it and because it's you know a valid uh driver then you know your your detection systems aren't going to flag it as malicious by default you know you can create rules to detect this thing uh but you know by default it's not going to not going to stop it and crowdstrike actually said they saw uh Microsoft Defender Palo Alto cortex and uh Central one edrs or just kind of full fall over fall over to this thing so yes and once they've disabled the endpoint then you know they can perform whatever actions they want another way they can do that if they don't use byovd they can actually use a UEFI boot kit this one was called Black Lotus it's actually sort of developed by you know developed by someone who kind of came from an anti-cheat background and they started selling this boot kit on the forums this one was offered for in October 2022 for about five thousand dollars and you know these three actors are actually able to purchase it and use it in their campaigns as well um the interesting thing about Black Lotus is that it can run on Windows 10 and 11. um you know even with uh secure boot enabled they can deploy this bootcamp and then actually exploit another vulnerability in I believe it was in Intel processors and then you know they can disable things like BitLocker uh hypervisor protected code integrity and as well as Windows Defender as well and then you can perform all their sorts of tactics and post exploitation activities as well after that so the interesting thing about Black Lotus as well kind of a side note is that they wouldn't actually if you tried to deploy It On A system that had you know language or system settings for Armenia Belarus Kazakhstan Moldova or Russia or Ukraine um the the boot kit actually won't work so in this scenario for be interesting to raise because it's kind of an Unwritten rule for malware developers from the Commonwealth of independent states they don't Target their own so as long as you don't Target your own then the police and whoever the government is not going to come after you so another interesting thing about these threat actors is that they also Target the cloud and virtualization virtualized infrastructure they target azir AWS and VMware esxi you know they actually a lot of the time they will take the credentials that they've stolen by phishing uh or potentially stolen via you know editing a cookie and then they actually move uh and gain access to Azure VMS and once they've sort of established Precision access on those VMS they'll then move into move laterally to other systems and premises as well and they also uh once they're inside of Geo they will then sort of usually aimed to export the configuration of a zero D tenants and their users and you know perform all sorts of follow-up attacks data theft and other sorts of attacks like that AWS uh the interesting thing about AWS is that what these three actors were found to be doing is that they are actually beginning to Target by beginning to Target AWS by exploiting a or compromising a uh you know public facing application known as Forge Rock open am once they've got into those they once they've gained access to these applications they kind of assume the AWS instant roles like sort of come with those and once they do that then they open AWS Consular start creating accounts for non-existent users establishing persistent access again and then they sort of pivot into the rest of the environment using their you know established credentials VMware esxi another interesting one is because they actually use a combination of two tools a tunneling tool known as R socks X and as well as level i o again another rmm tool and once they do that they've actually also been known to launch a port scanner known as rust scan from a Docker container onsider esxi Appliance as well so now we kind of have a more comprehensive idea of how these three actors are launching their campaigns what sort of things they're doing what sort of post-exploitation activities they do once they've you know passed the phishing past the social engineering stage what do they do after that infrastructure not as long of a section but you know we're going to go into more about like actually now we know how they what they do but actually how what infrastructure what do they do to actually launch it from basically so for SMS phishing and VOIP fishing fishing they've actually been able to use sort of communications platform as a Services um so they kind of use Google Voice Skype something called Vonage or bandwidth you know a lot of these things sort of like automated uh voice calling systems you know if you want to book an appointment for something like that sometimes you get like an automated system the threat actors are actually using that against targets as well as well as uh you know sending out malicious text messages as well in a sort of automated fashion foreign yeah so this so one of the ways that we can actually tie all these breaches together in one way or another is the fact that the phishing pages uh used to Target these organizations are pretty much all the same uh maybe a few Minor Details here and there but the main main fact is is you know the target company's logo is on the fishing page and the target company's SSO provider is also you know has its logo and it's kind of seen that way as well so it's quite let's try quite a basic and straightforward fishing kit once you've entered your credentials actually has like a sort of a telegram back end to then feed in the credentials that can then be entered uh and you you know they can get into your account within the amount of time it takes for a SMS token or a 2fa token to you know expire there's a sort of an automated fashion [Music] so I actually gathered a load of domains related to these campaigns and the interesting thing about these is there's also Imagine these but imagine each one having like a load of sub domains as well so they kind of use register a ton of domains they mainly use name Silo two cows and yala you know primarily because these registers extract Bitcoin as well um but yeah they use if it has SSO in the domain if it has OCTA in the domain or like Dash cloud or something so if it's like your company is the subdomain Dash Cloud login SSO whatever.com likely it's going to be one of these guys and if it's registered using name style or two cows a