CyberWire Daily - Exposing Muddled Libra's meticulous tactics with Incident Responder Stephanie Regan [Threat Vector]
Episode Date: March 27, 2024In honor of Women's History Month, please enjoy this episode of the Palo Alto Networks Unit 42's Threat Vector podcast featuring host David Moulton's discussion with Jacqueline Wudyka about the SEC's ...Cybersecurity Law. In this episode, join host David Moulton as he speaks with Stephanie Regan, a senior consultant at Unit 42. Stephanie, with a background in law enforcement, specializes in compromise assessment and incident response. Discover her insights into combating the Muddled Libra threat group and similar adversaries. Stephanie highlights the crucial role of reconnaissance in investigations and the importance of strong multi-factor authentication (MFA) to counter phishing and social engineering attacks. She delves into techniques like domain typo squatting and shares how domain monitoring can thwart attackers. Learn how Unit 42 assists clients in recovering from attacks, especially those by Muddled Libra. Stephanie emphasizes rapid response and coordination, including using out-of-band communications to outmaneuver threat actors. You can learn more about Muddled Libra at https://unit42.paloaltonetworks.com/muddled-libra/ where Kristopher was the lead author for the Threat Group Assessment: Muddled Libra. Join the conversation on our social media channels: Website: https://www.paloaltonetworks.com/unit42 Threat Research: https://unit42.paloaltonetworks.com/ Facebook: https://www.facebook.com/LifeatPaloAltoNetworks/ LinkedIn: https://www.linkedin.com/company/unit42/ YouTube: @PaloAltoNetworksUnit42 Twitter: https://twitter.com/PaloAltoNtwks About Threat Vector Unit 42 Threat Vector is the compass in the world of cyberthreats. Hear about Unit 42’s unique threat intelligence insights, new threat actor TTPs, real-world case studies, and learn how the team works together to discover these threats. Unit 42 will equip listeners with the knowledge and insight to proactively prepare and stay ahead in the ever-evolving threat landscape. PALO ALTO NETWORKS Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile. http://paloaltonetworks.com Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. insights from Unit 42, learn from Cortex customers, and see how Cortex is built to conquer today's
toughest security threats. Don't miss out on this chance to go from insight to transformation.
Level up your security game now. Register at start.paloaltonetworks.com slash symphony 2025.
It's not always possible from an investigative side to be able to tell whether AI is used.
And honestly, it's not always our goal. We're
really focused on ejecting the threat actor from the environment and getting our clients
back up and running.
Welcome to Threat Factor, a segment where Unit 42 shares unique threat intelligence
insights, new threat actor TPTs, and real-world
case studies. Uni42 is a global team of threat intelligence experts, incident responders,
and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Uni 42. In today's episode, I'm going to talk with Stephanie Regan, a senior consultant
with Unit 42. Stephanie started her career in law enforcement and now specializes in
compromise assessment and incident response.
In our last episode, I spoke with Chris Russo, a senior threat researcher with Unit 42 focused on ransomware and cybercrime about Muddled Libra. Chris painted a picture of a determined
and dangerous adversary. Today, I want to talk with Stephanie to hear her insights and advice
when it comes to responding to an attack
from muddled Libra and groups like them. To kick us off, can you share the number of matters that
you've been involved with when it comes to muddled Libra? Yeah, my numbers are likely a little higher
since we're not always confident on attribution. However, I've worked definitely at least a half
dozen cases with muddled Libra.
And can you share a detail or an insight from a matter that really sticks out to you?
One of the things that really sticks out to me about muddled Libra cases has been the reconnaissance portion of the investigation. A lot of the times we see threat actors doing a really light reconnaissance, trying to figure out where they're at in the environment and how they can navigate. I've seen them deep dive the how-to and the technical docs.
They're really trying to get a really deep understanding of the environment and how to
connect and change their level of persistence as well as further their access into the environment.
So Chris mentioned that this group is prolific when it comes to use of phishing kits and social engineering. And what are some of the ways that you've seen success in combating these
approaches? These approaches are really successful because it's focused on that human factor.
People are focused on their jobs, getting their jobs accomplished. MFA is a huge must and moving
towards more secure methods of MFA, getting away from using SMS for our
multi-factor authentication. Really thinking about where is your data stored when it comes to
help desk information. We've seen phishing and spoofing of help desk personnel. So really
thinking critically about where is the information that the user might use to reset their password through the help desk.
One of the things that we've talked about that they use a lot of is domain typo squatting
and also buying access from initial access brokers.
Things like dark web and domain monitoring can also help in these situations
to help you know quickly when credentials might be available on the dark web or when you have certain things
like mistyped domains and slightly misconfigured domain URLs that have been developed and are
created that spoof your sites. Stephanie, tell our listeners what it takes to help a client
recover from one of these attacks. Especially with a muddled
labor attack, I think moving quickly to understand the level of persistence that has been able to be
obtained at the time of detection is really important. IR playbooks are essential, knowing
the actions that you're going to need to take before you're in the emergency environment.
Password resets, asset resets, those have to have a plan around them because when you're in the emergency environment. Password resets, asset resets, those have to have a plan
around them because when you're in large environments and you're trying to reset passwords
for thousands of users, that's very difficult. It's going to be kind of that whackable game to
keep kicking them out of one account, but they can use another one to get right back in.
Another crucial piece with Model Libra
and many threat actors today
is getting to out-of-band comms very quickly as well.
A lot of threat actors, including Model Libra,
like to sit on and listen to
whatever your chat platform of choice is
and trying to understand what actions the IT team
and maybe the investigators are taking,
getting out of band
and being able to
really coordinate your approach quickly to get your environment reset is very important.
Final question for you. Do you expect that there'll be copycat groups out there that
take Muddled Libra's playbook and use it, expand on it?
I think that the idea of copycats is an interesting one in this era of cyber. Being able
to see the success of Metal Libra and other groups like them and have enough information about them
to be able to copy, definitely I can see people doing that. However, one of the things to keep
in mind is that we hear a lot about like RAS, ransomware as a service, initial access brokers, and things like that.
So we're seeing a lot of blending of TTPs, IOCs, indicators, but also as far as that goes,
things that look like the same threat actor that might be slightly different because they're sharing resources and have really become this complex marketplace today.
Stephanie, thanks for joining me today on Threat Vector and for sharing your insights and experience defending against muddled Libra. If you're interested in reading
more about this threat actor group, visit the Unit 42 Threat Research Center and look for the
Threat Group Assessment on muddled Libra. We'll be back on the Cyber Wire daily in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.