CyberWire Daily - Thwarting Muddled Libra. [Research Saturday]
Episode Date: September 2, 2023Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 join Dave to talk about Threat Group Assessment: Muddled Libra. With an intimate knowledge of enterprise information technology, th...is threat group presents a significant risk even to organizations with well-developed legacy cyber defenses. Posing threats to organizations in the software automation, BPO, telecommunications and technology industries, Muddled Libra is a threat group that favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals. The research can be found here: Threat Group Assessment: Muddled Libra Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So we first started seeing cases for this pop-in last fall.
And while we had seen cases before, you know, that are similar with phishing and smishing
and bad guys calling in,
these definitely seemed a lot more targeted than cases we had seen before.
Our guests today are Christopher Russo and Stephanie Regan from Palo Alto Network's Unit 42.
We're talking about their threat group assessment, Muddled Libra.
Libra. This kind of coincided with a lot of media attention and release around the Scattered Spider group. And as we worked this more, we definitely started to see a link between these two groups.
Well, let's dig into who exactly we think Muddled Libra is. What do we think is behind this organization?
Sure. So, I mean, a little history back on Scattered Spider.
We saw in fall of 22, the Octopus Fishing Kit released.
And, you know, as I mentioned before, while smishing has certainly been around for a while,
what this kit did was take smishing, creating smishing pages and bundling those
together and making them easy for threat actors to target users with. And so we saw a huge burst
of activity, which was covered by a lot of media organizations targeting large clients with these
smishing messages. And so what you would see is you'd see users get a text message on their personal phone,
or they'd get a call on their personal phone, maybe about a schedule change upcoming for work,
or that they had to make some modifications. And it would redirect them to an authentic
looking login page, which would ask for their credentials and trigger a two-factor request,
which then they would answer and put that request in.
What the victim didn't know when that happened was that it was going back to a threat actor-controlled telegram group.
And the threat actor was harvesting those credentials and that MFA code and using that to authenticate as the user.
So this chain of events we saw happened to a large number of companies. There
was a lot of consistency between how the domains were set up and how it was carried out. But a very
small sub-segment of those attacks seemed to be targeting business process outsourcers. And we saw
several of those cases in our incident response. So we saw several of these attacks targeting
business process organizers. We saw several of these attacks targeting business process organizers.
We saw several of these attacks processing business process outsourcers. And in these attacks, the threat actors would target organizations that had access to other
organizations downstream. And as we got into the incident response, and I'll let Stephanie kind of
speak to this a little bit more, we would see patterns in these attacks,
whereas the business process outsourcer
was targeted specifically to gather information
for downstream companies.
Stephanie, what can you add here?
Yeah, the other thing that really stood out to us
in relation to these investigations
was the tenacity of this threat actor.
You know, when we're looking at it,
we typically see a lot of threat actors. They really have a script or methodology in mind when
they're coming into the environment. They might have a couple of pivots that they can take,
but this is one of the threat actors that we really see that is pushing towards kind of that advanced level of a threat actor.
They're dropping tons of different RMM tools. So your remote access tools,
they're really getting their hooks into wide varieties of locations within an environment.
A lot of the times threat actors are really going to gravitate towards, you know,
I'm a Linux threat actor. I'm a Windows threat actor. I'm a cloud threat actor.
And a lot
of the times when we were looking into these investigations, they were comfortable in all of
these different platforms. They're able to pivot into SaaS applications, look into your cloud
environment and utilize exploits and understanding the common misconfigurations that exist in the
cloud. And then they're able to look at the Windows environment,
the Linux environment, and pivot through those with relative ease. And the other part that was
really noticeable about that is just, you know, they weren't afraid to really understand and learn
about the environment and take that time. We saw a lot of data expo and reconnaissance around how-to documents,
how to connect to XYZ platform, how to reset password credentials legitimately,
how to contact the help desk, and really diving into understanding how your process works so that
they can mask in and hide within that realm. You know, it strikes me that when you talk about something like the octopus
fishing kit, you know, these sort of malware as a service things, these commodity tools,
I would imagine that that would attract a lower level of threat actor here, you know, the
air quotes script kitties. But what you're describing here is that this organization
is taking this kind of tool and elevating it to
the next level? Absolutely. And don't get me wrong, we see the Octopus phishing kit being used a lot
throughout the environment right now. It's very prevalent throughout all different case types that
we've been working. We see them a lot on business email compromise cases, all the way up to your
ransomwares. But in this specific case with muddled Libra and
scattered spider, we see them utilizing that kind of base level scripting. But then once they get in
and once they get that access, they're definitely more sophisticated. And this attack type is not
new. This attack type is not new. In fact, we saw a report released just this week by the Cyber
Safety Review Board talking about how Lapsus was using very similar techniques all the way back to 2021.
But what Mudd and Libra brought to the table with this was this highly focused, highly proceduralized
type of attack. And because of that, we believe it's a relatively small, tight-knit group, as opposed to Lapsus, which kind of spanned a huge, massive channel of different levels of organization.
We also saw this very targeted attack type with Modeled Libra.
So we know that they were definitely after and had an endgame focused primarily on compromising companies downstream of these business process outsourcers.
And the ultimate target, we believe, was cryptocurrency, right?
So before we dig into the actual process here,
do we assume that the naming of the Octopus Phishing Kit as it's, you know, OK, or I guess 0KTAP,
I mean, is that a shot across the bow at security firm Okta?
We do believe so.
And we know that Okta was targeted during these early attacks,
along with several other authentication vendors.
And the idea behind this kit was really to go after these MFA codes
and the providers that facilitate those.
I see.
Well, let's walk through it together. I mean,
how does somebody find themselves in muddled Libra's targets? And once they do,
what exactly is going on with the attack chain here? Yeah, so what we've seen when this happens
is they do extensive research on the organization and on the victim that they're going to target.
extensive research on the organization and on the victim that they're going to target.
So they know what they're after. In fact, some of the attacks, we've even seen knowledge of kind of obscure tools or even insider tools. So muddled Libra will choose an organization that
they want to attack. This organization typically has downstream customers of interest. These
organizations tend to provide maybe outsourcing service for help desk
or maybe other services for the downstream client. The model Libra threat actor will target an
individual. They'll find this individual's personal cell phone number. They will compromise
these credentials. And once they get in, they will immediately start to look to elevate access
and to find the information that they're after. And this is typically documentation on downstream clients, how to operate their tools, credentials
for these clients, and other data that allows them to act as this business process outsourcer
in the target client's environment.
And so once they're in that target's environment, the downstream target, what do they do then?
Well, primarily a lot of what we saw was revolving around SIM swapping. multi-factor authentication to a temporary phone that the threat actor controls so that they can
generate password resets and get those credentials and then access accounts, primarily cryptocurrency
related, that are behind these authentication. Yeah, Dave, one thing I'd like to add to the
SIM swapping piece, and a lot of people are historically thinking of SIM swapping as,
you know, one, cryptocurrency, two, banking applications,
and then three, just kind of of interest to the telecoms. But one of the things that I really
have been seeing a lot of lately that's of interest is actually the use of SIM swapping
as a credential elevation tool. So when they're really targeting your environment, when they're
looking at it, and they're saying, all right, all right, Dave's the admin in this account. I know I can utilize Dave for credential elevation into this environment.
They're going to go after your account to SIM swap and utilize that MFA code to then achieve
their credential elevation within different environments. So that is something we've seen
before very intermittently, but the prevalence of that when you're having really targeted victims is a trend that we're really keeping an eye
on these days.
Help me understand here.
I guess I'm scratching my head a little bit that their ultimate goal is cryptocurrency.
When they have all this access to multiple organizations, is industrial espionage a side hustle or do they keep their
eye on the ball? So what we found with these threat actors, especially early on, is that
they're looking for ways to monetize their access easily. And while industrial espionage is
definitely great for nation states or other folks that have a way to use that information,
it doesn't provide a quick win. Cryptocurrency, on the other hand, provides a quick win.
You could take a large amount of cryptocurrency, you can wash it and convert it to cash or other
products easily. So that's where this comes in. But to your point, we've seen in recent attacks
where they have started to pivot away from the cryptocurrency targets.
And we believe that's because of enhanced security measures that have been put in place, as well as user awareness.
And we are starting to see more of a focus towards stealing data and then extorting organizations for the return of that data.
We haven't seen as much success with this attack type as we have in ransomware attacks traditionally, and we believe that's mostly experience-based.
So we expect that to continue to grow.
Yeah, that's fascinating.
I mean, I guess in my mind, am I overestimating the amount of effort that goes into the initial access and then pivoting to the other groups. I guess it seems like a lot of work to
what in my mind would seem like a smash and grab
to go after cryptocurrency.
So is that my own misunderstanding?
Well, I mean, definitely what we've seen in these attacks,
there is a lot of traditional red teaming attack style type
with these attackers.
So we do believe that these attackers have studied
penetration testing, that they are comfortable with the penetration testing rulebook. And so,
you know, during that, that doesn't really give them a lot of opportunity to be creative in their
attacks. So they go in, they're looking for credentials, they're looking for protected
systems, and they're looking to use those credentials immediately. So if anything,
I think probably what we see is a lack of experience playing in here, that these are
not necessarily hardened cybercriminals, but they have gotten together and designed a playbook that,
you know, at least for a while has worked very well for them. Even though it seems complex from
the outside looking in, it's a relatively straightforward advancement of compromise organization, use those credentials to compromise downstream organization, and then feed
into an existing SIM swapping infrastructure that is already widely used in order to monetize
cryptocurrency payments. Yeah. And I think Chris is hitting it on the head there with,
you know, they're willing to put in effort on some of these organizations like business process outsourcing and similar companies where the effort is going to be returned in the furtherance and the spread and access to a disparate number of individual targets that might actually be very fruitful and maybe easier in relation to how to monetize that. So they're putting a lot of
effort in into places where, yes, this is one entity, one company, maybe only one specific
target in being able to add their ability to perform SIM swaps. But then once they do that,
once they have that piece, now they might have access to another 20, 30, or another tool
to add to their toolkit that can end up allowing them to leverage other pieces and extremely
expand upon what their victimology can be. And I think part of this is because a lot of large
cryptocurrency holders are relatively security savvy. So they're not going to fall for a fish
directly to them to
provide their credentials. So these threat actors really have to find a roundabout way
to get to these credentials without actually contacting the end victim.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to
specific apps, not the entire network, continuously verifying every request based on identity
and context, simplifying security management with AI-powered automation, and detecting
threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Stephanie, I'm curious what this looks like from an incident response position, because it strikes me when you have a lot of organizations who have been touched here.
How do you approach that side of things? I mean, really getting a thorough understanding of where they're at, where they have hooks in,
what their persistence mechanisms are, and very quickly is going to be the priority.
A lot of times what we're seeing is in these big, complex environments, when they don't have IR
playbooks in play already, and they don't have critical action plans, you know, things like
global resets, when you have 1,000, 2,000, even tens of thousands of employees, tends to be very difficult.
Things like sessions, certificates, tokens, all of those things need to be able to be reset in a global manner very quickly, or it's going to be a whack-a-mole throughout these environments.
So that's one of the things that we really look to of elevating our current
customers. We have a whole proactive service line, and that's one of the things that we really
emphasize in being able to take those proactive measures to have that incident response playbook
in hand where when you have a mature threat actor like this in your environment, you're going to
have to take those things very quickly. Having access to user behavior logs. Can you actually see unusual
logins, impossible travel, MFA device enrollments? Because one of the things that they're going to do
is continuously add and change where those MFAs are being redirected. Can you spot those things
very easily and very quickly? Having awareness training with your users is extremely advantageous.
You know, do users understand what fishing looks like and smishing looks like these days?
And the sophistication that that has brought, especially with this octopus fishing kit in relation to, you know, we used to be able to tell with typos and, you know, misnomers and weird language and things like that.
It used to be really easy to spot a phish and it's becoming less and less so.
Things like the help desk. We're seeing a lot of calls to the help desk. They sound very
legitimate. They've done reconnaissance. So they're able to know, all right, I need to know
the supervisor name. I need to know where I'm at in the chain of command and which business unit I'm a part
of and maybe my personal email.
They already are able to collect those things.
So when they call the help desk, they already have it.
So taking things that we've seen and really securing those mechanisms and really thinking
hard about where is that data?
If a basic user in your
environment has an email compromise, can all of the help desk information that they might need
be readily available at their fingertips to be able to reset all users within the account? I
think supervisor is one of those common ones. If you just have to do a supervisor name,
a lot of organizations within their email platforms, you can just see who the chain of
command is and where they might actually sit and what name they might need to provide.
So in relation to that too, we see a lot of initial access broker usage as well,
and things like dark web monitoring. If you have credentials that are sitting out there
in the world and in the environment that can be readily used by different threat actors,
do you have a way of knowing that already and remediating those things quickly?
A lot of the interesting pieces that we've also seen is these threat actors are not afraid of
EDR and XDR type tools. We've seen them utilize EDR tools as far as actually dropping them into
the environment and using them as lateral
movement vectors, but also utilizing your own security stack as a lateral movement piece.
A lot of people forget that their EDR tools can do things like live terminal into a remote box.
This was one of my, to me, one of the more interesting things that I saw them doing is
once they're able to get an
admin credential, they're logging into the EDR tools. They're looking at what those EDR tools
are being used for in the environment. Can they use them for reconnaissance and things like that?
But also they can be used for lateral movement through that live terminal access capability.
Does every person that uses your EDR tool in your environment need lateral
movement? Most of them can have that lateral movement capability within your security tool
disabled for all but that small subset of users that need it. Another interesting piece that we've
been seeing with this threat actor is they love to monitor the IT tickets, love to monitor the internal chat platform. All of those different
areas that we think we as responders are kind of safely using to be able to remediate the activity
is something that they're keeping eyes on. So if you're using one particular chat platform
for your normal course of business, and that's what you would use to talk about,
hey, we need to go lock down this server, we need to clear these persistent mechanisms out of the
environment, you know, they may have eyes on that. So getting outside of our normal bands of
communication and having a backup plan for those types of things, how can we communicate between
our IT teams and take the actions necessary without always tipping off the threat actor and saying, hey, you know, we're moving over here or you're going to lose your persistence mechanism.
So make sure you go make another one and things like that.
So a lot of different things here, obviously, multi-factor authentication, while they have ways to get around that, that is an absolute must in here as well to be able to kind of secure and kick out the threat actors.
Well, based on the information that you've gathered here, I mean, what are your recommendations for organizations to best protect themselves?
I mean, Stephanie, you touched on a number of them, but any specific advice here?
Well, first of all, get rid of SMS.
Any specific advice here?
Well, first of all, get rid of SMS.
The community has been saying for years that SMS is not a safe way to do two-factor authentication.
So it's time to move to hardware keys or to some sort of in-app authentication method. And that'll cut down at least on the SIM swapping angle of this attack.
Absolutely.
From that last conversation, the ones I really want to emphasize is that
incident response playbook, you cannot figure out a way to respond to these actors when you're
flying the plane. So having that plan, especially that one for the global password session
certificate token resets, I see a lot of larger organizations really struggling for that. And that's an area
that you can really elevate your ability to respond. And awareness training. Again,
needing to make sure users, help desk, IT personnel are very keenly aware of the new
mechanisms in play and how sophisticated things have become is just crucial. Hardening management assets,
you know, hardening those XDR, EDR tools, your VMware, your remote access tooling, anything
that's able to kind of take security administration actions within your environment is critically
essential. You know, knowing what remote access tools are in the environment and what you can
block is going to be extremely powerful when they go in and a threat actor tries to drop seven other remote access tools.
If you're blocking them, the threat becomes very low.
And just overall asset posturing, too. device certificates, custom registry keys, you know, existence of EDR tools, all of those different kind of factors
as pip checks for VPNs
and securing that VPN
and any remote connections,
especially with our disparate
workforces these days,
you know, is extremely useful
in being able to help prevent
and protect against these.
But going back to that password reset
and token and certificate reset,
all of those things that you're using in the hip check, if they know they are trying to compromise your environment and are able to identify those things, they're resetting all certificates, but that certificate is getting pushed to a threat actor endpoint and things like that are all mechanisms we really need to be
thinking about and elevating ourselves with how we can respond and protect ourselves even beforehand.
You know, this research really strikes me as almost a case study, like a greatest hits of things you need to be looking out for. I could imagine
using this as the foundation for a presentation to a board of directors or another group who
needs to see the breadth of what folks in the security side are up against here. This really
touches on so many different areas. Yeah, absolutely. I think one of those areas
that we as security providers
always are really struggling with
is how do we get that C-suite
and above on board with what we need
and what we're seeing in the environment.
This is a great threat actor group
and both publication, research, case study
to be able to use and kind of lean on in relation to,
you know, these are the things that they're seeing. These are the things that we don't need
to just have one layer of protection for. We have to actually have that depth and breadth
security and response mechanisms. So it is a great one to take some bullet points away and really use
as a flag in the sand of,
hey, looky here, these are some actions that we could take.
And this is the reason why,
because it is actively being utilized in the threat landscape today. And very politically.
I think the bottom line is groups like Muddled Labor are not using super
advanced techniques or, you know, the latest and greatest tools.
What they're using is a targeting and a
knowledge of oftentimes your weakest security link, and that's the human. So if there's a takeaway,
it is to definitely help strengthen your human element, to make sure that your employees know
what to look for when they're being attacked, and ensuring on the back end that you're
monitoring for unusual behavior in your environment from employees that wouldn't normally do that,
and then responding immediately and quickly, ideally with automation.
Our thanks to Christopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 for joining us.
We'll have a link to their threat group assessment on muddled Libra in our show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. Thank you. next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilby.
And I'm Dave Bittner.
Thanks for listening.