Blog Post

Microsoft Security Experts Blog
11 MIN READ

Octo Tempest: Hybrid identity compromise recovery

rpeckham's avatar
rpeckham
Icon for Microsoft rankMicrosoft
Jun 19, 2024

Have you ever gone toe to toe with the threat actor known as Octo Tempest? This increasingly aggressive threat actor group has evolved their targeting, outcomes, and monetization over the past two years to become a dominant force in the world of cybercrime. But what exactly defines this entity, and why should we proceed with caution when encountering them?

 

Octo Tempest (formerly DEV-0875) is a group known for employing social engineering, intimidation, and other human-centric tactics to gain initial access into an environment, granting themselves privilege to cloud and on-premises resources before exfiltrating data and unleashing ransomware across an environment. Their ability to penetrate and move around identity systems with relative ease encapsulates the essence of Octo Tempest and is the purpose of this blog post. Their activities have been closely associated with:

 

  • SIM swapping scams: Seize control of a victim's phone number to circumvent multifactor authentication.
  • Identity compromise: Initiate password spray attacks or phishing campaigns to gain initial access and create federated backdoors to ensure persistence.
  • Data breaches: Infiltrate the networks of organizations to exfiltrate confidential data.
  • Ransomware attacks: Encrypt a victim's data and demand primary, secondary or tertiary ransom fees to refrain from disclosing any information or release the decryption key to enable recovery.

 

Figure 1: The evolution of Octo Tempest’s targeting, actions, outcomes, and monetization.

 

Some key considerations to keep in mind for Octo Tempest are:

  • Language fluency: Octo Tempest purportedly operates predominantly in native English, heightening the risk for unsuspecting targets.
  • Dynamic: Have been known to pivot quickly and change their tactics depending on the target organizations response.
  • Broad attack scope: They target diverse businesses ranging from telecommunications to technology enterprises.
  • Collaborative ventures: Octo Tempest may forge alliances with other cybercrime cohorts, such as ransomware syndicates, amplifying the impact of their assaults.

 

As our adversaries adapt their tactics to match the changing defense landscape, it's essential for us to continually define and refine our response strategies. This requires us to promptly utilize forensic evidence and efficiently establish administrative control over our identity and access management services. In pursuit of this goal, Microsoft Incident Response has developed a response playbook that has proven effective in real-world situations. Below, we present this playbook to empower you to tackle the challenges posed by Octo Tempest, ensuring the smooth restoration of critical business services such as Microsoft Entra ID and Active Directory Domain Services.

 

Cloud eviction

We begin with the cloud eviction process. If any actor takes control of the identity plane in Microsoft Entra ID, a set of steps should be followed to hit reset and take back administrative control of the environment. Here are some tactical measures employed by the Microsoft Incident Response team to ensure the security of the cloud identity plane:

 

Figure 2: Cloud response playbook.

 

Break glass accounts

Emergency scenarios require emergency access. For this purpose, one or two administrative accounts should be established. These accounts should be exempted from Conditional Access policies to ensure access in critical situations, monitored to verify their non-use, and passwords should be securely stored offline whenever feasible.

 

More information on emergency access accounts can be found here: Manage emergency access admin accounts - Microsoft Entra ID | Microsoft Learn.

 

 

Federation

Octo Tempest leverages cloud-born federation features to take control of a victim’s environment, allowing for the impersonation of any user inside the environment, even if multifactor authentication (MFA) is enabled. While this is a damaging technique, it is relatively simple to mitigate by logging in via the Microsoft Graph PowerShell module and setting the domain back from Federated to Managed. Doing so breaks the relationship and prevents the threat actor from minting further tokens.

 

Connect to your Azure/Office 365 tenant by running the following PowerShell cmdlet and entering your Global Admin Credentials:

 

Connect-MgGraph

 

Change federation authentication from Federated to Managed running this cmdlet:

 

Update-MgDomain -DomainId "test.contoso.com" -BodyParameter @{AuthenticationType="Managed"}

 

 

 

Service principals

Service principals have their own identities, credentials, roles, and permissions, and can be used to access resources or perform actions on behalf of the applications or services they represent. These have been used by Octo Tempest for persistence in compromised environments. Microsoft Incident Response recommends reviewing all service principals and removing or reducing permissions as needed.

 

Conditional Access policies

These policies govern how an application or identity can access Microsoft Entra ID or your organization resources and configuring these appropriately ensures that only authorized users are accessing company data and services. Microsoft provides template policies that are simple to implement. Microsoft Incident Response recommends using the following set of policies to secure any environment.

 

Note: Any administrative account used to make a policy will be automatically excluded from it. These accounts should be removed from exclusions and replaced with a break glass account.

 

 Figure 3: Conditional Access policy templates.

 


Conditional Access policy: Require multifactor authentication for all users

This policy is used to enhance the security of an organization's data and applications by ensuring that only authorized users can access them. Octo Tempest is often seen performing SIM swapping and social engineering attacks, and MFA is now more of a speed bump than a roadblock to many threat actors. This step is essential.

 

Conditional Access policy: Require phishing-resistant multifactor authentication for administrators

This policy is used to safeguard access to portals and admin accounts. It is recommended to use a modern phishing-resistant MFA type which requires an interaction between the authentication method and the sign-in surface such as a passkey, Windows Hello for Business, or certificate-based authentication.

 

Note: Exclude the Entra ID Sync account. This account is essential for the synchronization process to function properly.

 

Conditional Access policy: Block legacy authentication

Implementing a Conditional Access policy to block legacy access prohibits users from signing in to Microsoft Entra ID using vulnerable protocols. Keep in mind that this could block valid connections to your environment. To avoid disruption, follow the steps in this guide.

 

Conditional Access policy: Require password change for high-risk users

By implementing a user risk Conditional Access policy, administrators can tailor access permissions or security protocols based on the assessed risk level of each user. Read more about user risk here.

 

Conditional Access policy: Require multifactor authentication for risky sign-ins

This policy can be used to block or challenge suspicious sign-ins and prevent unauthorized access to resources.

 

Segregate Cloud admin accounts

Administrative accounts should always be segregated to ensure proper isolation of privileged credentials. This is particularly true for cloud admin accounts to prevent the vertical movement of privileged identities between on-premises Active Directory and Microsoft Entra ID.

 

In addition to the enforced controls provided by Microsoft Entra ID for privileged accounts, organizations should establish process controls to restrict password resets and manipulation of MFA mechanisms to only authorized individuals.

 

During a tactical takeback, it's essential to revoke permissions from old admin accounts, create entirely new accounts, and ensure that the new accounts are secured with modern MFA methods, such device-bound passkeys managed in the Microsoft Authenticator app.

 

Figure 4: CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog.

 

Review Azure resources

Octo Tempest has a history of manipulating resources such as Network Security Groups (NSGs), Azure Firewall, and granting themselves privileged roles within Azure Management Groups and Subscriptions using the ‘Elevate Access’ option in Microsoft Entra ID.

 

It's imperative to conduct regular, and thorough, reviews of these services to carefully evaluate all changes to these services and effectively remove Octo Tempest from a cloud environment.

 

Of particular importance are the Azure SQL Server local admin accounts and the corresponding firewall rules. These areas warrant special attention to mitigate any potential risks posed by Octo Tempest.

 

 

Intune Multi-Administrator Approval (MAA)

Intune access policies can be used to implement two-person control of key changes to prevent a compromised admin account from maliciously using Intune, causing additional damage to the environment while mitigation is in progress.

 

Access policies are supported by the following resources:

  • Apps – Applies to app deployments but doesn't apply to app protection policies.
  • Scripts – Applies to deployment of scripts to devices that run Windows.

 

Octo Tempest has been known to leverage Intune to deploy ransomware at scale. This risk can be mitigated by enabling the MAA functionality.

 

 

Review of MFA registrations

Octo Tempest has a history of registering MFA devices on behalf of standard users and administrators, enabling account persistence. As a precautionary measure, review all MFA registrations during the suspected compromise window and prepare for the potential re-registration of affected users.

 

 

On-premises eviction

Additional containment efforts include the on-premises identity systems. There are tried and tested procedures for rebuilding and recovering on-premises Active Directory, post-ransomware, and these same techniques apply to an Octo Tempest intrusion.

 

 

Figure 5: On-premises recovery playbook.

 

 

Active Directory Forest Recovery

If a threat actor has taken administrative control of an Active Directory environment, complete compromise of all identities, in Active Directory, and their credentials should be assumed. In this scenario, on-premises recovery follows this Microsoft Learn article on full forest recovery: 

 

Active Directory Forest Recovery - Procedures | Microsoft Learn

 

If there are good backups of at least one Domain Controller for each domain in the compromised forest, these should be restored. If this option is not available, there are other methods to isolate Domain Controllers for recovery. This can be accomplished with snapshots or by moving one good Domain Controller from each domain into an isolated network so that Active Directory sanitization can begin in a protective bubble. 

 

Once this has been achieved, domain recovery can begin. The steps are identical for every domain in the forest:

 

  1. Metadata cleanup of all other Domain Controllers
  2. Seizing the Flexible Single Master Operations (FSMO) roles
  3. Raising the RID Pool and invalidating the RID Pool
  4. Resetting the Domain Controller computer account password
  5. Resetting the password of KRBTGT twice
  6. Resetting the built-in Administrator password twice
  7. If Read-Only Domain Controllers existed, removing their instance of krbtgt_xxxxx
  8. Resetting inter-domain trust account (ITA) passwords on each side of the parent/child trust
  9. Removing external trusts
  10. Performing an authoritative restore of the SYSVOL content
  11. Cleaning up DNS records for metadata cleaned up Domain Controllers
  12. Resetting the Directory Services Restore Mode (DSRM) password
  13. Removing Global Catalog and promoting to Global Catalog

 

When these actions have been completed, new Domain Controllers can be built in the isolated environment. Once replication is healthy, the original systems restored from backup can be demoted.

 

Octo Tempest is known for targeting Key Vaults and Secret Servers. Special attention will need to be paid to these secrets to determine if they were accessed and, if so, to sanitize the credentials contained within.

 

 

Tiering model

Restricting privilege escalation is critical to containing any attack since it limits the scope and damage. Identity systems in control of privileged access, and critical systems where identity administrators log onto, are both under the scope of protection.

 

Microsoft’s official documentation guides customers towards implementing the enterprise access model (EAM) that supersedes the “legacy AD tier model."  The EAM serves as an all-encompassing means of addressing where and how privileged access is used. It includes controls for cloud administration, and even network policy controls to protect legacy systems that lack accounts entirely.

 

However, the EAM has several limitations. First, it can take months, or even years, for an organization’s architects to map out and implement. Secondly, it spans disjointed controls and operating systems. Lastly, not all of it is relevant to the immediate concern of mitigating Pass-the-Hash (PtH) as outlined here.

 

Our customers, with on-premises systems, are often looking to implement PtH mitigations yesterdayThe AD Tiering model is a good starting point for domain-joined services to satisfy this requirement. It is:

 

  • Easier to conceptualize
  • Has practical implementation guidance
  • Rollout can be partially automated

 

The EAM is still a valuable strategy to work towards in an organization’s journey to security; but this is a better goal for after the fires and smoldering embers have been extinguished.

 

 

Figure 6: Securing privileged access Enterprise access model - Privileged access | Microsoft Learn.

 

Segregated privileged accounts

Accounts should be created for each tier of access, and processes should be put in place to ensure that these remain correctly isolated within their tiers.

 

Control plane isolation

Identify all systems that fall under the control plane. The key rule to follow is that anything that accesses or can manipulate an asset must be treated at the same level as the assets that they manipulate. At this stage of eviction, the control plane is the key focus area. As an example, SCCM being used to patch Domain Controllers must be treated as a control plane asset.

 

Backup accounts are particularly sensitive targets and must be managed appropriately.

 

 

Account disposition

The next phase of on-premises recovery and containment consists of a procedure known as account disposition in which all privileged or sensitive groups are emptied except for the account that is performing the actions. These groups include, but are not limited to:

 

  • Built-In Administrators
  • Domain Admins
  • Enterprise Admins
  • Schema Admins
  • Account Operators
  • Server Operators
  • DNS Admins
  • Group Policy Creator Owners

 

Any identity that gets removed from these groups goes through the following steps:

 

  1. Password is reset twice
  2. Account is disabled
  3. Account is marked with Smartcard is required for interactive login
  4. Access control lists (ACLs) are reset to the default values and the adminCount attribute is cleared

 

Once this is done, build new accounts as per the tiering model. Create new Tier 0 identities for only the few staff that require this level of access, with a complex password and marked with the Account is sensitive and cannot be delegated flag.

 

 

Access Control List (ACL) review

Microsoft Incident Response has found a plethora of overly-permissive access control entries (ACEs) within critical areas of Active Directory of many environments. These ACEs may be at the root of the domain, on AdminSDHolder, or on Organizational Units that hold critical services. A review of all the ACEs in the access control lists (ACLs) of these sensitive areas within Active Directory is performed, and unnecessary permissions are removed.

 

Mass password reset

In the event of a domain compromise, a mass password reset will need to be conducted to ensure that Octo Tempest does not have access to valid credentials. The method in which a mass password reset occurs will vary based on the needs of the organization and acceptable administrative overhead. If we simply write a script that gets all user accounts (other than the person executing the code) and resets the password twice to a random password, no one will know their own password and, therefore, will open tickets with the helpdesk. This could lead to a very busy day for those members of the helpdesk (who also don’t know their own password).

 

Some examples of mass password reset methods, that we have seen in the field, include but are not limited to:

  • All at once: Get every single user (other than the newly created tier 0 accounts) and reset the password twice to a random password. Have enough helpdesk staff to be able to handle the administrative burden.
  • Phased reset by OU, geographic location, department, etc.: This method targets a community of individuals in a more phased out approach which is less of an initial hit to the helpdesk.
  • Service account password resets first, humans second: Some organizations start with the service account passwords first and then move to the human user accounts in the next phase.

 

Whichever method you choose to use for your mass password resets, ensure that you have an attestation mechanism in place to be able to accurately confirm that the person calling the helpdesk to get their new password (or enable Self-Service Password Reset) can prove they are who they say they are. An example of attestation would be a video conference call with the end user and the helpdesk and showing some sort of identification (for instance a work badge) on the screen.

 

It is recommended to also deploy and leverage Microsoft Entra ID Password Protection to prevent users from choosing weak or insecure passwords during this event.

 

 

Conclusion

The battle against Octo Tempest underscores the importance of a multi-faceted and proactive approach to cybersecurity. By understanding a threat actors' tactics, techniques and procedures and by implementing the outlined incident response strategies, organizations can safeguard their identity infrastructure against this adversary and ensure all pervasive traces are eliminated. Incident Response is a continuous process of learning, adapting, and securing environments against ever-evolving threats.

 

 

Updated Jun 19, 2024
Version 3.0
  • Rafal_Fitt: Thanks for reaching and raising the question. :smile:

    Tactical Recovery often focuses on rapid execution and broad coverage to minimize the attack's impact as much as possible. The actions taken are modular and guided by forensic data. If there is evidence of compromise, a change will be initiated to regain administrative control of AD; otherwise, the focus will shift to the next step in the recovery playbook.

     

    During this phase, the DPAPI component is addressed as a tactical measure, with the understanding that strategic recovery will follow. This will likely necessitate a new architecture model for identity and access management, and creating a new forest/domain will certainly be part of that process.

  • Rafal_Fitt's avatar
    Rafal_Fitt
    Iron Contributor

    Please note that AD Forest Recovery doesn't mention DPAPI backup keys:

    "There currently is no officially supported way of changing or rotating these DPAPI backup keys on the domain controllers. In accordance with the document MS-BKRP, 3rd parties have the ability to develop an application or script that creates a new DPAPI Backup key and sets the new key to be the preferred key for the domain. However, these 3rd party solutions would be unsupported by Microsoft.


    Should the DPAPI Backup keys for the domain be compromised, the recommendation is to create a new domain and migrate users to that new domain. If a malicious actor is able to gain access to the DPAPI backup keys, it's likely that they have acquired domain administrator-level access to the domain and have full access to its resources. An attacker may also install other backdoor systems in the domain with the level of access that they now have, hence the recommendation to migrate to a new domain."

    Source: https://learn.microsoft.com/en-us/windows/win32/seccng/cng-dpapi-backup-keys-on-ad-domain-controllers#:~:text=There%20currently%20is,a%20new%20domain

  • techyguy94's avatar
    techyguy94
    Copper Contributor

    All the posts on securing accounts but why does MS not allow organizations to set password policies or allow admins to set password minimums in Azure.  For the love of God, how is 8 characters still a default in Azure and why is there no way to change this??? Come on MS get with it.