The cyber threat actor known as Muddled Libra has been identified as actively targeting software-as-a-service (SaaS) applications and cloud service providers (CSPs) with the intent to exfiltrate confidential information. This malicious activity underscores an increasing trend where organizations store diverse sets of data within SaaS platforms and leverage CSP services, which are now becoming prime targets for cybercriminals.

A report by Palo Alto Networks Unit 42 delineated that Muddled Libra and related groups have begun utilizing the harvested data not only to advance their attacks but also as a means for extortion. These actors have been associated with other cybercriminal clusters such as Scatter Swine, Scattered Spider, Starfraud, and UNC3944, indicating their extensive network within the cybercriminal ecosystem.

These threat actors have adeptly employed sophisticated social engineering techniques to infiltrate targeted networks. The U.S. government previously noted that groups like Scattered Spider have historically managed to evade detection through tactics that exploit common applications and circumvent standard network security measures. Their ability to frequently adjust their tactics, techniques, and procedures (TTPs) allows them to navigate victim networks stealthily.

Muddled Libra’s modus operandi includes various methods of monetizing access to compromised networks, such as ransomware deployment and data theft. This group also operates in conjunction with broader criminal entities known as The Com, which engage in activities including SIM swapping, cryptocurrency theft, and violent tactics.

Previously reported insights have indicated that the name Muddled Libra references the complex landscape tied to the 0ktapus phishing kit, known for facilitating credential harvesting schemes. One crucial element of their strategy involves reconnaissance operations aimed at identifying administrative users, allowing them to impersonate helpdesk staff and extract credentials through social engineering tactics like phone calls.

The reconnaissance extends into meticulous research to uncover specific applications and cloud services utilized by target organizations. For instance, during the Okta cross-tenant impersonation incidents from late July to early August 2023, Muddled Libra successfully circumvented identity access management (IAM) restrictions, revealing how they exploit platform vulnerabilities to access SaaS applications and cloud environments.

Should the integration of SSO not be present within a target’s CSP framework, Muddled Libra resorts to extensive discovery efforts to locate unprotected CSP credentials. The data obtained from SaaS applications is then leveraged to glean insights about the infected environments, enabling them to perform privilege escalation and widen the breach’s scope.

According to Zimmermann from Unit 42, intelligence gathering is a key aspect of Muddled Libra’s campaigns. Attackers exploit stored data within CSP environments to create new routes for lateral movement across compromised networks. This targeting specifically focuses on reputable services such as Amazon Web Services (AWS) and Microsoft Azure, aiming for critical resources including AWS IAM, S3, and Azure Blob Storage.

Data exfiltration occurs through the manipulation of legitimate CSP features, utilizing mechanisms like AWS DataSync and Azure snapshots to facilitate unauthorized data transfers out of compromised environments. Consequently, businesses must reinforce their identity protection measures with robust secondary authentication methods, such as hardware tokens or biometric systems, to safeguard against these evolving threats.

By adapting their strategies to encompass SaaS applications and cloud environments, Muddled Libra’s methodological evolution highlights the intricate nature of contemporary cyber threats. As organizations increasingly depend on cloud infrastructures to manage substantial volumes of sensitive data, the risk of rapid and large-scale data exfiltration becomes a pressing concern for cybersecurity professionals.

This development follows Intel 471’s recent findings of a spike in phishing campaigns executed by Muddled Libra, which aim to impersonate Okta login pages to gain access to targeted cloud resources or SSO-enabled systems.

(The article was revised after publication in June 2024 to clarify the connections between Muddled Libra and Scattered Spider.)

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.