Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response. Muddled Libra has shown a penchant for targeting a victim’s downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen dataset. Once established, this threat group is difficult to eradicate. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. The Muddled Libra threat group has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. When an attack path is blocked, they have either rapidly pivoted to another vector or modified the environment to allow their favored path. In the incidents the Unit 42 team has investigated, Muddled Libra has been methodical in pursuing their goals and highly flexible with their attack strategies. Their arsenal ranges from hands-on social engineering and smishing attacks to proficiency with niche penetration testing and forensics tools, giving this threat group an edge over even a robust and modern cyber defense plan. Muddled Libra investigations demonstrate the use of an unusually large attack toolkit. Use of compromised infrastructure in downstream attacks.Persistent targeting of the business process outsourcing (BPO) industry.This indicated a subset of the previously mentioned groups focusing on a complex series of supply chain attacks, ultimately leading to high-value cryptocurrency targets.ĭefining characteristics of Muddled Libra include the following: Muddled Libra is a subset of these actors.ĭuring the Unit 42 incident response investigations, we identified several cases with overlapping trade craft. While these have been treated in the media as three names for one group, in actuality, it's likely multiple actors using a common toolkit. Previous reporting by Group-IB, CrowdStrike and Okta has documented and mapped many of these attacks to the following intrusion groups: 0ktapus, Scattered Spider and Scatter Swine. The sheer number of targets being hit with this kit has created a fair amount of confusion in the research community about attributing these attacks. This improvement in functionality led to cybercriminals launching a massive attack campaign targeting a wide range of organizations. These features included prebuilt templates and a built-in C2 channel via Telegram, all for a cost of only a few hundred US dollars. While smishing is not new, the 0ktapus framework commoditized the establishment of a normally complex infrastructure in a way that granted even low-skilled attackers a high success rate. The speed and breadth of these attacks caught many defenders off guard. With large numbers of realistic fake authentication portals and targeted smishing, attackers were able to quickly gather credentials and multifactor authentication MFA codes. The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates. Threat Overview Attack Chain Reconnaissance Resource Development Initial Access Persistence Defense Evasion Credential Access Discovery Execution Lateral Movement Collection Exfiltration Impact Conclusion and Mitigations Indicators of Compromise Additional Resources Threat Overview Muddled Libra (related to Scattered Spider, Scatter Swine), 0ktapus The Advanced URL Filtering and DNS Security Cloud-Delivered Security Services can help protect against command and control (C2) infrastructure, while App-ID can limit anonymization services allowed to connect to the network. Palo Alto Networks customers receive protection from the threats described in this blog through a modern security architecture built around Cortex XSIAM in concert with Cortex XDR. Thwarting Muddled Libra requires a combination of tight security controls, diligent security awareness training and vigilant monitoring. This threat group favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals. Unit 42 researchers and responders have investigated more than half a dozen interrelated incidents from mid-2022 through early 2023, which we’ve attributed to the threat group Muddled Libra. Muddled Libra is a methodical adversary that poses a substantial threat to organizations in the software automation, BPO, telecommunications and technology industries. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses. At the intersection of devious social engineering and nimble technology adaptation stands Muddled Libra.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |