A threat group known as “Muddled Libra” has been identified as targeting large outsourcing firms with persistent attacks that start with smishing and end with data theft, according to cybersecurity researchers. The group, which has been active since mid-2022, has been linked to more than half a dozen incidents and specializes in multi-layered attacks. Researchers from Palo Alto Networks Unit 42 have attributed the group’s initial entry to the Oktapus phishing kit, which is used to compromise infrastructure.
Once inside a target organization’s system, the group exhibits non-destructive persistence until it achieves its objectives, which typically involve stealing sensitive data and leveraging this data and compromised systems for further attacks. The researchers noted that Muddled Libra has a tendency to target downstream customers using stolen data, and can even return to previous victims after incident response measures have been implemented. The group seeks to access and steal information on an organization’s clients, allowing them to infiltrate additional environments.
Although Muddled Libra does not employ new malware or tactics, the group is considered highly dangerous due to its methodical and flexible approach. The threat actors are skilled at pivoting to different attack vectors or even modifying environments to facilitate their preferred attack methods. They have also displayed proficiency in various security disciplines and can execute devastating attack chains rapidly, even in environments that organizations have secured by most standards.
The researchers noted that Muddled Libra is exceptionally persistent and possesses a strong understanding of modern incident response frameworks. This allows the group to continue its operations even after network expulsion attempts. They described the group as difficult to eradicate once established.
The group’s attacks typically begin with reconnaissance to gather information on targets. They then deploy resources such as lookalike phishing domains and the Oktapus phishing kit. Smishing attacks are utilized to send deceptive messages with links to targeted employees’ mobile phones. These messages often request the updating of account information or re-authentication to a corporate application, and the links direct employees to fake corporate login pages.
Social engineering tactics are employed to gain network access, capturing credentials that are used for initial access and bypassing multifactor authentication (MFA). Muddled Libra is known to engage in MFA bombing, which involves generating an endless stream of MFA prompts to exploit user fatigue or frustration. Once established within a network, the group swiftly escalates access using various credential-stealing tools like Mimikatz, ProcDump, DCSync, Raccoon Stealer, and LAPSToolkit. If elevated credentials cannot be quickly located, the group resorts to using Impacket, MIT Kerberos Ticket Manager, and NTLM Encoder/Decoder.
Once inside an environment, Muddled Libra uses free or demo versions of remote monitoring and management (RMM) tools to maintain a backdoor. These tools are commonly used within organizations and do not raise suspicion. The group also engages in evasive maneuvers such as disabling antivirus and host-based firewalls, attempting to delete firewall profiles, creating defender exclusions, and deactivating or uninstalling endpoint detection and response (EDR) and other monitoring products.
Muddled Libra’s primary goal is to access and exfiltrate data. The researchers noted that the group rarely engages in remote code execution. To exfiltrate data, the group establishes reverse proxy shells or secure shell (SSH) tunnels for command and control (C2). They also use common file-transfer sites or the Cyberduck file-transfer agent. In some cases, the group uses compromised infrastructure to launch follow-on attacks on downstream customers.
To defend against Muddled Libra and similar sophisticated threat actors, organizations should employ cutting-edge technology, maintain comprehensive security hygiene, and monitor external threats and internal events diligently. The researchers recommended implementing multifactor authentication (MFA) and single sign-on (SSO) wherever possible, as these measures significantly impede the group’s success. Organizations should also prioritize user-awareness training to help employees identify suspicious outreach via phone and SMS, as Muddled Libra is skilled in social engineering techniques. Additionally, credential hygiene should be maintained, access should be granted only when necessary, and the connection of anonymization services to the network should be limited.
The researchers emphasized the importance of robust network security and endpoint security, specifically recommending an extended detection and response (XDR) solution that utilizes advanced machine learning and behavioral analytics to identify and block threats in real-time. Lastly, organizations should be prepared for a breach and assume that the attacker is familiar with modern incident response frameworks. Setting up out-of-band response mechanisms can help mitigate the impact of a breach.