The risk actor often known as Muddled Libra has been noticed actively concentrating on software-as-a-service (SaaS) functions and cloud service supplier (CSP) environments in a bid to exfiltrate delicate knowledge.
“Organizations often store a variety of data in SaaS applications and use services from CSPs,” Palo Alto Networks Unit 42 stated in a report printed final week.
“The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work.”
Muddled Libra, additionally referred to as Starfraud, UNC3944, Scatter Swine, and Scattered Spider, is a infamous cybercriminal group that has leveraged refined social engineering strategies to realize preliminary entry to focus on networks.
“Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs,” the U.S. authorities stated in an advisory late final 12 months.
The attackers even have a historical past of monetizing entry to sufferer networks in quite a few methods, together with extortion enabled by ransomware and knowledge theft.
Unit 42 beforehand instructed The Hacker Information that the moniker “Muddled Libra” comes from the “confusing muddled landscape” related to the 0ktapus phishing equipment, which has been put to make use of by different risk actors to stage credential harvesting assaults.
A key side of the risk actor’s tactical evolution is using reconnaissance strategies to establish administrative customers to focus on when posing as helpdesk employees utilizing cellphone calls to acquire their passwords.
The recon part additionally extends to Muddled Libra, which performs intensive analysis to seek out details about the functions and the cloud service suppliers utilized by the goal organizations.
“The Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled Libra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an organization’s various CSP environments,” safety researcher Margaret Zimmermann defined.
The data obtained at this stage serves as a stepping stone for conducting lateral motion, abusing the admin credentials to entry single sign-on (SSO) portals to realize fast entry to SaaS functions and cloud infrastructure.
Within the occasion SSO shouldn’t be built-in right into a goal’s CSP, Muddled Libra undertakes broad discovery actions to uncover the CSP credentials, doubtless saved in unsecured areas, to fulfill their targets.
The info saved with SaaS functions are additionally used to glean specifics concerning the contaminated surroundings, capturing as many credentials as attainable to widen the scope of the breach through privilege escalation and lateral motion.
“A large portion of Muddled Libra’s campaigns involve gathering intelligence and data,” Zimmermann stated.
“Attackers then use this to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra.”
These actions particularly single out Amazon Net Companies (AWS) and Microsoft Azure, concentrating on companies like AWS IAM, Amazon Easy Storage Service (S3), AWS Secrets and techniques Supervisor, Azure storage account entry keys, Azure Blob Storage, and Azure Information to extract related knowledge.
Knowledge exfiltration to an exterior entity is achieved by abusing reliable CSP companies and options. This encompasses instruments like AWS DataSync, AWS Switch, and a method referred to as snapshot, the latter of which makes it attainable to maneuver knowledge out of an Azure surroundings by staging the stolen knowledge in a digital machine.
Muddled Libra’s tactical shift requires organizations to safe their id portals with sturdy secondary authentication protections like {hardware} tokens or biometrics.
“By expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra’s methodology shows the multidimensionality of cyberattacks in the modern threat landscape,” Zimmermann concluded. “The use of cloud environments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders.”
