The evolution of cyberthreats is a constant battle for organizations as threat groups adapt and change their tactics to exploit vulnerabilities in new ways. One such group, known as Bling Libra (aka ShinyHunters), has been making headlines for its sophisticated attacks targeting cloud environments with legitimate credentials.
Palo Alto Networks’ Unit 42 researchers recently shed light on the operations of Bling Libra, a group that gained notoriety earlier this year for the massive data breach at Ticketmaster, where they stole over 560 million customer records. What sets Bling Libra apart is its shift towards extortion-based attacks, a tactic commonly associated with ransomware gangs. Instead of just stealing data and selling it, the group now threatens to publish the stolen information online unless a ransom is paid.
In a recent attack investigated by Unit 42, Bling Libra targeted an organization’s Amazon Web Services (AWS) environment using stolen credentials to access and gather sensitive information. The group infiltrated the AWS environment, conducted reconnaissance operations, and utilized tools like the Amazon Simple Storage Service (S3) Browser to access and delete data. They even created new S3 buckets after exfiltrating data to taunt the organization about the breach.
The Ticketmaster breach in June was a wake-up call for many organizations, as Bling Libra demonstrated the extent of damage that can be caused by compromised credentials. The group has also been linked to other high-profile breaches, including the Ticketek Entertainment Group attack in Australia. Bling Libra’s modus operandi often involves exploiting vulnerabilities in third-party cloud providers, such as Snowflake, by leveraging weak or non-existent multifactor authentication (MFA) measures.
The lack of MFA and overly permissive credentials are recurring themes in Bling Libra’s attacks, highlighting the urgency for organizations to strengthen their authentication and permission practices. Unit 42 recommended implementing MFA and utilizing secure IAM solutions to restrict user permissions and prevent unauthorized access to critical data. As more businesses transition to cloud technologies, it is essential to prioritize cybersecurity practices to safeguard cloud assets and mitigate the risk of cyberthreats.
In conclusion, the evolving tactics of threat groups like Bling Libra underscore the critical need for organizations to prioritize cybersecurity measures. By staying vigilant, implementing robust security practices, and continuously monitoring critical log sources, businesses can better protect their cloud assets and defend against sophisticated cyberthreats.