Latest news with #UNC3944
Techday NZ
7 days ago
- Business
- Techday NZ
Octo Tempest targets airlines as Microsoft warns of new cyber risks
Microsoft has reported that the cybercriminal group Octo Tempest has shifted its focus to the airlines sector following recent attacks on retail, food services, hospitality, and insurance organisations. The observed pattern is consistent with Octo Tempest's usual strategy of targeting a single sector for several weeks or months before moving on to new industries. Microsoft Security products are being regularly updated to address these evolving threats. Octo Tempest activity Octo Tempest, also known by names such as Scattered Spider, Muddled Libra, UNC3944, and 0ktapus, is financially motivated and employs a variety of methods in its attacks. Initial access is typically achieved through social engineering, including impersonation of legitimate users, as well as contacting support desks via phone, email, and messaging platforms. The group also uses SMS-based phishing through adversary-in-the-middle domains, which are crafted to appear as legitimate organisational sites. Additional tactics include the use of tools such as ngrok, Chisel, and AADInternals, impacting hybrid identity infrastructures, and exfiltrating data to support extortion or ransomware activities. Recent attacks have seen the deployment of DragonForce ransomware, with a focus on VMWare ESX hypervisor environments. Unlike previous incidents, recent attacks have also impacted both on-premises accounts and infrastructure at the initial stage prior to shifting to cloud environments. Detection strategies Microsoft Defender provides detection coverage for Octo Tempest activity across all segments of the security portfolio, including endpoints, identities, SaaS applications, email and collaboration platforms, and cloud workloads. The following detection capabilities have been mapped against Octo Tempest's tactics, techniques, and procedures recently observed: Initial access: Detection of unusual password resets within virtual environments Discovery: Monitoring for suspicious credential dumping, account enumeration, and reconnaissance activities across DNS, SMB, SAMR, and LDAP Credential access and lateral movement: Monitoring use of tools such as Mimikatz and ADExplorer, suspicious Azure role assignments, and potentially malicious device registrations Persistence and execution: Identifying trusted backdoor installations and persistent ADFS backdoors Actions on objectives: Detection of data exfiltration and prevention of ransomware deployment via Microsoft Defender capabilities Microsoft notes that the list above is not exhaustive and that a full set of detection options remains available through the Microsoft Defender portal. Attack disruption and incident response "Attack disruption is Microsoft Defender's unique, built-in self-defense capability that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and disrupt an attacker's next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender workloads into a high-fidelity incident." According to Microsoft, when Octo Tempest techniques are identified, attack disruption will disable compromised user accounts and revoke active sessions, isolating the threat. Security operations centre teams are advised to follow up with incident response actions to ensure threats are fully remediated. Proactive defence approaches Organisations are also encouraged to use Microsoft Defender's advanced hunting capabilities to proactively identify, trace, and respond to Octo Tempest-related activities. Analysts can query both Microsoft and non-Microsoft data sources using tools such as Microsoft Defender XDR and Microsoft Sentinel, and receive exposure insights from Microsoft Security Exposure Management. The Exposure Graph enables defenders to assess user targeting and potential impacts of compromise. "Microsoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest's hybrid attack tactics." Security teams are advised to classify critical assets in the Microsoft Defender portal, create custom rules, and use initiatives to address specific threats including those posed by Octo Tempest and ransomware groups. The 'Chokepoint' view in the attack path dashboard allows teams to spot helpdesk-linked accounts that Octo Tempest is known to target and take remediating steps accordingly. Recommended security measures Microsoft has issued a set of basic security recommendations to mitigate exposure and limit the risk from groups such as Octo Tempest: Identity security: Enable multifactor authentication (MFA) for all users, enforce phishing-resistant MFA for administrators, restrict overprovisioned identities in cloud environments, and use Microsoft Entra Privileged Identity Management. Endpoint security: Activate cloud-delivered and real-time protection with Microsoft Defender Antivirus, turn on tamper protection, and use attack surface reduction rules to block credential stealing and related malicious techniques. Cloud security: Enable purge protection for Key Vaults, use just-in-time network access control for virtual machines, encrypt data with customer-managed keys, activate logging for Azure Key Vault, and ensure Azure Backup is enabled for virtual machines. "In today's threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats:" The recent focus on the airlines sector by Octo Tempest highlights the ongoing shift in cybercriminal tactics and the need for robust, layered security measures. Organisations are encouraged to regularly reassess their security strategies, apply recommended safeguards, and utilise updated detection and disruption technologies to manage evolving threats.
ITV News
03-07-2025
- Business
- ITV News
Could airlines be the new target for hacking group Scattered Spider?
It was the hacking group linked to both the M&S and Co-op cyber attacks, but it appears Scattered Spider has a new sector in its sights. Initially targeting retail companies, the group now appears to be setting its sights on the aviation industry. In the US, the Federal Bureau of Investigation recently posted on the social media platform X, raising the alarm. Both Google and the US cybersecurity company Palo Alto Networks have also warned of the potential threat. In a statement posted on LinkedIn, Sam Rubin of Palo Alto said that the company has "observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry". Google experts reported similar findings. Charles Carmakal, an executive for Google's cybersecurity unit, said the company was "aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider". No references were made to any specific airlines, but recently Canadian airline WestJet, Hawaiian Airlines and Qantas have all suffered from cyber attacks. The airlines have not released any details on potential links between the incidents and Scattered Spider, but the hacking group has been blamed for some of the most disruptive hacks across the UK and US in recent memory. Who are Scattered Spider? According to America's Cyber Defence Agency, Scattered Spider is a cybercriminal group that targets large companies and their IT help desks. Scattered Spider members have typically engaged in data theft for extortion and have been known to use BlackCat/ALPHV ransomware. The group initially dabbled in financial fraud and social media hacking but has become more advanced, conducting data breaches and stealing cryptocurrency. Some of its members are as young as 16 years old and meet on hacking forums, discord servers and Telegram channels. Why the aviation sector? ITV News spoke to cyber security expert Graham Cluley about the reasons why the aviation sector is likely on the target list. "Airlines and firms in the aviation industry consist of an attractive cocktail of critical infrastructure, sometimes outdated tech, and massive customer databases that can prove irresistible to hackers," he said. "Many aviation industry businesses still rely on legacy systems bolted onto newer platforms, which determined hackers like Scattered Spider love to exploit. "Plus, of course, with the summer holidays about to begin and many travellers planning to jet overseas, hackers will view that as a greater incentive than ever for airlines to pay up, rather than cause chaos for their customers." A spokesperson for the UK Civil Aviation Authority (CAA) told ITV News: 'We are aware of rumoured activity. We are in contact with the National Cyber Security Centre and have warned our industry contacts about this group and the techniques they use.' How can airlines be better equipped to deal with potential threats? Mr Cluley said airlines need to harden their defences to prevent attacks like this from happening. "Many hackers break into systems via stolen or phished credentials," he explained. "Scattered Spider, for instance, has often used the ploy of posing as employees who have been locked out of their accounts, and tricking service desks into giving them access. "Additionally, the air industry needs to keep a close eye on its third-party suppliers - especially those which have privileged access to its network or data. Supply chain attacks are a favourite amongst hackers." "Hopefully businesses in the air industry are also 'hacking themselves' - in other words, simulating the methods used by hackers to find weaknesses in their systems before they are exploited by cybercriminals," he continued. "Finally, there's a lot to be said for staff training - educating them about how hackers trick staff into making mistakes that can result in a cyber attack succeeding." As a customer, it's important to ensure you have the best measures in place to protect yourself if an airline is targeted. "It's the airline that gets hacked, not you," Mr Cluley said. "But it might be your data that ends up in the hands of cybercriminals". He recommends using unique, strong passwords and advises customers not to use the same password for different places on the internet. "Where possible, enable multi-factor authentication (also known sometimes as two-factor authentication)," he said. He also said that paying with a credit card makes it easier to get your money back if fraud occurs. He added: "You may also be wise to use a 'virtual card' which has a lower spending limit on it or can be locked to a specific merchant. "Some banks offer this facility - making it possible to create a unique card number that is linked to your real account but cannot be reused elsewhere. If a travel site or airline is breached, your actual credit card number isn't exposed."
The Hindu
30-06-2025
- Business
- The Hindu
Tech firms warn 'Scattered Spider' hacks are targeting aviation sector
Tech companies Google and Palo Alto Networks are sounding the alarm over the "Scattered Spider" hacking group's interest in the aviation sector. In a statement posted on LinkedIn on Friday, Sam Rubin, an executive at Palo Alto's cybersecurity-focused Unit 42, said his company had "observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry." In a similar statement, Charles Carmakal, an executive with Alphabet-owned Google's cybersecurity-focused Mandiant unit, said his company was "aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider." Neither executive identified which specific companies had been targeted, but Alaska Air Group-owned Hawaiian Airlines and Canada's WestJet have both recently reported being struck by unspecified cyber incidents. Neither company has gone into detail about the intrusions or commented on any potential links between the incidents and Scattered Spider. The loose-knit but aggressive hacking group, alleged to at least in part comprise youngsters operating in Western countries, has been blamed for some of the most disruptive hacks to hit the United States and Europe in recent memory. In 2023, hackers tied to the group broke into gaming companies MGM Resorts and Caesars Entertainment, partially paralysing casinos and knocking slot machines out of commission. Earlier this year, the group wreaked havoc at British retailers. More recent targets include the U.S. insurance industry.
Business Times
29-06-2025
- Business
- Business Times
Tech firms warn 'Scattered Spider' hacks are targeting aviation sector
[WASHINGTON] Tech companies Google and Palo Alto Networks are sounding the alarm over the 'Scattered Spider' hacking group's interest in the aviation sector. In a statement posted on LinkedIn on Friday, Sam Rubin, an executive at Palo Alto's cybersecurity-focused Unit 42, said his company had 'observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry'. In a similar statement, Charles Carmakal, an executive with Alphabet-owned Google's cybersecurity-focused Mandiant unit, said his company was 'aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.' Neither executive identified which specific companies had been targeted, but Alaska Air Group-owned Hawaiian Airlines and Canada's WestJet have both recently reported being struck by unspecified cyber incidents. Neither company has gone into detail about the intrusions or commented on any potential links between the incidents and Scattered Spider. The loose-knit but aggressive hacking group, alleged to at least in part comprise youngsters operating in Western countries, has been blamed for some of the most disruptive hacks to hit the US and Europe in recent memory. In 2023, hackers tied to the group broke into gaming companies MGM Resorts and Caesars Entertainment, partially paralysing casinos and knocking slot machines out of commission. Earlier this year, the group wreaked havoc at British retailers. More recent targets include the US insurance industry. REUTERS
Business Insider
28-06-2025
- Business
- Business Insider
A notorious hacker group is now targeting the aviation industry, the FBI says
According to an FBI warning, a notorious cybercriminal group known as Scattered Spider is deceiving IT help desks into targeting the US airline industry. Scattered Spider gained attention in 2023 for hacking both MGM Resorts and Caesars Entertainment within a week of each other. "These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," the FBI said on X. "These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts." The FBI said the group is focused on large corporations and their third-party IT providers, so "anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk." "Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware," the agency said. The FBI did not indicate that the actions affect airline safety. Charles Carmakal, the chief technology officer at Google's Mandiant, a cybersecurity firm and subsidiary of Google Cloud, said on LinkedIn that the firm was "aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider." "We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks," he said. Unit 42, a cybersecurity threat research team that is part of the larger Palo Alto Networks cybersecurity corporation, said it also observed Scattered Spider targeting the aviation industry. "Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests," Sam Rubin, senior vice president of consulting and threat intelligence for Unit 42, said on LinkedIn on Friday. Canada's WestJet announced earlier this month that it had uncovered a "cybersecurity incident involving internal systems and the WestJet app, which has restricted access for several users." A spokesperson told Business Insider the company has made "significant progress" regarding the matter, and investigations were ongoing. Hawaiian Airlines also said on Thursday that it experienced a "cybersecurity event" that affected some of its IT systems. "We continue to safely operate our full flight schedule, and guest travel is not impacted," the company said in a press release.
