unit42.paloaltonetworks.com Open in urlscan Pro
69.192.30.144  Public Scan

URL: https://unit42.paloaltonetworks.com/muddled-libra/
Submission: On September 30 via api from IN — Scanned from US

Form analysis 1 forms found in the DOM

Name: Unit42_SubscribePOST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json

<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
  <input type="hidden" name="emailFormMask" value="">
  <input type="hidden" value="1086" name="formid">
  <input type="hidden" value="531-OCS-018" name="munchkinId">
  <input type="hidden" value="2141" name="lpId">
  <input type="hidden" value="1203" name="programId">
  <input type="hidden" value="1086" name="formVid">
  <input type="hidden" name="mkto_optinunit42" value="true">
  <input type="hidden" name="mkto_opt-in" value="true">
  <div class="form-group">
    <label for="newsletter-email" id="newsletter-email-label">Your Email</label>
    <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
    <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
    <p>Subscribe for email updates to all Unit 42 threat research.<br>By submitting this form, you agree to our
      <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our
      <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
    <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
    <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
    <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img
        src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow">
      <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
    </button>
    <div class="form-success-message"></div>
  </div>
  <input type="hidden" name="Company_From_IP__c" value=""><input type="hidden" name="Industry" value=""><input type="hidden" name="Sub_Industry__c" value=""><input type="hidden" name="RL_Primary_Sic__c" value=""><input type="hidden"
    name="RL_Primary_Naics__c" value=""><input type="hidden" name="RL_Address__c" value=""><input type="hidden" name="RL_City__c" value=""><input type="hidden" name="RL_State__c" value=""><input type="hidden" name="RL_ZIP_Postal_Code__c"
    value=""><input type="hidden" name="RL_Country_from_IP__c" value=""><input type="hidden" name="RL_Phone__c" value=""><input type="hidden" name="Website" value=""><input type="hidden" name="RL_Annual_Revenue_Range__c" value=""><input type="hidden"
    name="RL_Employee_Range__c" value=""><input type="hidden" name="Latitude_based_on_IP__c" value=""><input type="hidden" name="Longitude_based_on_IP__c" value=""><input type="hidden" name="IP_Address__c" value=""><input type="hidden"
    name="RL_Company_LegalName__c" value=""><input type="hidden" name="RL_Provider__c" value="demandbase">
</form>

Text Content

___

Menu
 * Tools
 * ATOMs
 * Security Consulting
 * About Us
 * Under Attack?

 * 
 * About Unit 42
 * Services
   Services
   Assess and Test Your Security Controls
    * AI Security Assessment
    * Attack Surface Assessment
    * Breach Readiness Review
    * BEC Readiness Assessment
    * Cloud Security Assessment
    * Compromise Assessment
    * Cyber Risk Assessment
    * M&A Cyber Due Diligence
    * Penetration Testing
    * Purple Team Exercises
    * Ransomware Readiness Assessment
    * SOC Assessment
    * Supply Chain Risk Assessment
    * Tabletop Exercises
    * Unit 42 Retainer
   
   Transform Your Security Strategy
    * IR Plan Development and Review
    * Security Program Design
    * Virtual CISO
    * Zero Trust Advisory
   
   Respond in Record Time
    * Cloud Incident Response
    * Digital Forensics
    * Incident Response
    * Managed Detection and Response
    * Managed Threat Hunting
    * Unit 42 Retainer
   
   UNIT 42 RETAINER
   
   Custom-built to fit your organization's needs, you can choose to allocate
   your retainer hours to any of our offerings, including proactive cyber risk
   management services. Learn how you can put the world-class Unit 42 Incident
   Response team on speed dial.
   
   Learn more
 * Unit 42 Threat Research
   Unit 42 Threat Research
   Unit 42 Threat Research
    * Threat Briefs and Assessments
      Details on the latest cyber threats
    * Tools
      Lists of public tools released by our team
    * Threat Reports
      Downloadable, in-depth research reports
   
   THREAT REPORT
   
   2024 Unit 42 Incident Response Report
   
   Read now
   THREAT BRIEF
   
   Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
   Including DDoS, HermeticWiper, Gamaredon, Website Defacement
   
   Learn more
   THREAT REPORT
   
   Highlights from the Unit 42 Cloud Threat Report, Volume 6
   
   Learn more
 * Partners
   Partners
   Partners
    * Threat Intelligence Sharing
    * Law Firms and Insurance Providers
   
   THREAT REPORT
   
   2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
   bolster defenses
   
   Learn more
   THREAT BRIEF
   
   Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
   Including DDoS, HermeticWiper, Gamaredon, Website Defacement
   
   Learn more
   THREAT BRIEF
   
   Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
   Compromise Ring Members
   
   Learn more
 * Resources
   Resources
   Resources
    * Research Reports
    * Webinars
    * Customer Stories
    * Datasheets
    * Videos
    * Infographics
    * Whitepapers
    * Cyberpedia
   
   Industries
    * Financial Services
    * Healthcare
    * Manufacturing
   
   ANALYST REPORT
   
   Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity
   Incident Response Services, Q2 2024.” Read the Forrester report to learn why.
   
   Get the report
   THREAT REPORT
   
   2024 Unit 42 Incident Response Report: Get the latest threat insights and
   expert recommendations to safeguard your organization better.
   
   Learn more

 * 
 * Under Attack?




Search
All
 * Tech Docs


Close search modal

 * Threat Research Center
 * Threat Actor Groups
 * Malware

Malware


THREAT GROUP ASSESSMENT: MUDDLED LIBRA (UPDATED)

13 min read
Related Products
Advanced DNS SecurityAdvanced URL FilteringApp-IDCloud-Delivered Security
ServicesCortex XDRCortex XSIAMCortex XSOARNext-Generation FirewallUnit 42
Incident Response
 * By:
    * Kristopher Russo
    * Austin Dever
    * Amer Elsad

 * Published:8 March, 2024 at 2:58 PM PST
 * Categories:
    * High Profile Threats
    * Malware
    * Threat Actor Groups

 * Tags:
    * 0ktapus
    * ALPHV
    * App-ID
    * BlackCat ransomware
    * MITRE
    * Muddled Libra
    * Phishing
    * Scatter Swine
    * Scattered Spider
    * Social engineering

 * 
 * 

Share
 * 
 * 
 * 
 * 
 * 
 * 
 * 

This post is also available in: 日本語 (Japanese)


EXECUTIVE SUMMARY

Muddled Libra stands at the intersection of devious social engineering and
nimble technology adaptation. With an intimate knowledge of enterprise
information technology, this threat group presents a significant risk even to
organizations with well-developed legacy cyber defenses.

Muddled Libra’s tactics can be fluid, adapting quickly to a target environment.
They continue to use social engineering as their primary modus operandi,
targeting a company's IT help support desk. For example, in under a few minutes,
these threat actors successfully changed an account password and later reset the
victim’s MFA to gain access to their networks.

Muddled Libra was first noted for targeting organizations in the software
automation, outsourcing and telecommunications verticals. Since then, they’ve
expanded their targeting to include the technology, business process
outsourcing, hospitality and more recently, financial industries. They show no
signs of slowing.

Unit 42 researchers and responders have investigated interrelated incidents from
mid-2022 through the beginning of 2024, which we’ve attributed to the threat
group Muddled Libra. Initial attacks were highly structured and favored large
business process outsourcing firms serving high-value cryptocurrency holders. We
believe that when the threat actors exhausted those targets, they evolved into a
ransomware affiliate model with extortion as their key objective.

In the cases we’ve been involved with, we observed Muddled Libra performing the
following activities:

 * Using NSOCKS and TrueSocks proxy services
 * Creating email rules to forward emails from specific security vendors to the
   actors to monitor communications and those helping in the investigation
 * Deploying a custom virtual machine into the environment
 * Using an open-source rootkit, bedevil (bdvl) to target VMware vCenter servers
 * Gaining administrative permissions
 * Heavy use of anonymizing proxy services

We also believe that members of Muddled Libra speak English as a first language,
which provides them greater ability to conduct their social engineering attacks
with other English speakers. Muddled Libra has also been observed using AI to
spoof victims’ voices. Social media videos can be used by attackers to train AI
models. The targets we’ve observed seem to be primarily in the U.S.

Thwarting Muddled Libra requires interweaving tight security controls, diligent
awareness training and vigilant monitoring.

Palo Alto Networks customers are better protected from the threats described in
this article through a modern security architecture built around Cortex XSIAM in
concert with Cortex XDR. The Advanced URL Filtering and DNS Security
Cloud-Delivered Security Services can help protect against command and control
(C2) infrastructure, while App-ID can limit anonymization services allowed to
connect to the network.

Related Unit 42 Topics Muddled Libra (related to Scattered Spider, Scatter
Swine), 0ktapus, Social Engineering


THREAT OVERVIEW

The attack style defining Muddled Libra appeared on the cybersecurity radar in
late 2022 with the release of the 0ktapus phishing kit. This malware kit offered
the following features:

 * A prebuilt hosting framework
 * Easy C2 connectivity
 * Bundled attack templates

These options allowed attackers to emulate mobile authentication pages cheaply
and easily.

With over 200 realistic fake authentication portals and some targeted smishing,
attackers quickly gathered credentials and multifactor authentication (MFA)
codes for over one hundred organizations.

The speed and breadth of these attacks caught many defenders off-guard. While
smishing is not a new tactic, the 0ktapus framework commoditized what would
typically require complex infrastructure and advanced technical skills, in a way
that granted even low-skilled attackers a high attack success rate.

The sheer number of targets being hit with this kit created a fair amount of
confusion regarding attribution in the research community. Previous reporting by
Group-IB, CrowdStrike and Okta has documented and mapped many of these attacks
to the following intrusion groups: 0ktapus, Scattered Spider and Scatter Swine.

While these have been frequently treated as several names for one group, what
these names actually define are:

 * An attack style using a common toolkit
 * A social forum-based collaboration network
 * An Agile-like team structure

Muddled Libra is a distinct group of actors using this tradecraft. In a 2023
blog posted on ALPHV’s leak site, the attackers corroborated this view, claiming
that previous researcher attribution models have been non-specific.

During Unit 42 Incident Response investigations, we identified several cases we
attribute to Muddled Libra. Muddled Libra has been responsible for a campaign of
complex supply chain attacks, ultimately leading to high-value cryptocurrency
targets.

This group has only intensified their campaign. They are shifting tactics to
adapt to improving cyber defenses, and they are targeting to broaden their
attack scope.

Figure 1. Muddled Libra evolved tactics.


Unit 42 has observed an extensive toolkit used in these attacks. This arsenal
ranges from hands-on social engineering and smishing attacks to proficiency with
niche penetration testing, forensics tools and even legitimate systems
management software. This breadth of tooling gives Muddled Libra an edge over
even a robust and modern cyber defense plan.

In incidents the Unit 42 team has investigated, Muddled Libra has been
methodical in pursuing its goals and highly flexible with attack strategies.
When an attack tactic is blocked, they have either rapidly pivoted to another
vector or modified the target environment to enable their favored path.

Muddled Libra has also repeatedly demonstrated a strong understanding of the
modern incident response (IR) framework. This knowledge allows them to continue
progressing toward their goals even as incident responders attempt to expel them
from an environment. Once established, this threat group is difficult to
eradicate. Unit 42 has observed them joining IR war rooms and creating rules
within email security platforms to intercept and redirect incident
response-related communication.

Initially, Muddled Libra preferred targeting a victim’s downstream customers
using stolen data and, if allowed, would return repeatedly to the well to
refresh their stolen dataset. Using this stolen data, the threat actor could
return to prior victims even after the initial incident response.

Furthermore, Muddled Libra appeared to have clear goals for its breaches versus
just capitalizing on opportunistic access. They rapidly sought and stole
information on downstream client environments and then used it to pivot into
those environments.

In a notable departure from earlier tactics, in 2023, intelligence indicated
that Muddled Libra joined the ALPHV/Blackcat ransomware-as-a-service affiliate
program. They wasted no time implementing this new tool set with a radical
departure from previous tradecraft in favor of new attacks focused on data
theft, encryption and enormous extortion demands.

The U.S. Justice Department interrupted ALPHV’s operations shortly after these
attacks began. Since this action, new Muddled Libra attacks have shifted to data
theft with a simple extortion objective. Muddled Libra has demonstrated a strong
understanding of their victims’ “line of business” processes, and they strike at
the heart of business operations.


ATTACK CHAIN

While each incident is unique, Unit 42 researchers have identified enough
commonalities in tradecraft to attribute multiple incidents to Muddled Libra.
Figure 1 shows the attack chain.

Figure 2. Muddled Libra attack chain.


We have mapped these to the MITRE ATT&CK® framework, summarized below.


RECONNAISSANCE

Muddled Libra has consistently demonstrated an intimate knowledge of targeted
organizations, including employee lists, job roles and cellular phone numbers.
In some instances, threat actors likely obtained this data during earlier
breaches against upstream targets.

Threat actors also frequently obtain information packs from illicit data brokers
such as the now-defunct Genesis and Russian Markets. This data is typically
harvested from corporate and personal infected devices using malware such as
Raccoon Stealer and RedLine Stealer.

With the early advent of bring-your-own-device (BYOD) policies and the
popularity of hybrid work solutions, corporate data and credentials are
frequently used and cached on personal devices. Decentralizing the management
and protection of IT assets creates a lucrative targeting opportunity for
information-stealing malware.


RESOURCE DEVELOPMENT

Lookalike domains used in smishing attacks are a consistent hallmark for Muddled
Libra. This tactic is effective since mobile devices frequently truncate links
in SMS messages. Malicious domain names frequently use the format of the
organization name with a hyphen, followed by a service (like SSO, helpdesk or
HR).

Early clusters of attacks attributed to the 0ktapus campaign consistently used
domains registered via Porkbun or Namecheap and hosted on Digital Ocean
infrastructure. These domains are short-lived, used only during the initial
access phase, and they are quickly taken down before defenders can investigate.
Recently, we’ve observed Muddled Libra adding Metaregistrar and Hosting Concepts
to their preferred registrar list, and their hosting has moved behind a large
content delivery network (CDN) service.

In many investigations, Unit 42 observed the use of the 0ktapus phishing kit for
credential harvesting. Group-IB has done a great deep dive analysis of this
versatile kit, which is widely available in the criminal underground. It
requires little skill to stand up and configure, making it an ideal tool for
highly targeted smishing attacks. Since its introduction, other threat groups
have adopted this kit, and it continues to evolve.


INITIAL ACCESS

In all incidents where Unit 42 could determine an initial access vector,
smishing and helpdesk social engineering were involved. In most early incidents,
the threat actor sent a lure message directly to the targeted employees’
cellphones, claiming they needed to update account information or reauthenticate
to a corporate application. Messages contained a link to a spoofed corporate
domain designed to emulate a familiar login page.

Likely due to organizations’ large-scale phase-out of SMS as a secondary
authentication factor, Muddled Libra has begun to move away from smishing as an
initial entry vector. New cases indicate that this group pervasively uses direct
social engineering.

Helpdesk and customer service agents are particularly high-value targets. Unit
42 has observed Muddled Libra using a combination of open-source intelligence
and previously compromised sensitive data to get help desk agents to reset both
passwords and MFA on the same call.

These attacks are convincing and persistent. They focus on wearing the agent’s
defenses down, running up the call length and ultimately bypassing security
restrictions that could have prevented these attacks.


PERSISTENCE

Muddled Libra was particularly focused on maintaining access to targeted
environments. While threat actors commonly use a free or demo version of a
remote monitoring and management (RMM) tool during intrusions, Muddled Libra
often installed half a dozen or more of these utilities. They did this to ensure
they would maintain a backdoor into the environment even if one were discovered.

Using commercial RMM tools is particularly problematic as these tools are
legitimate, business-critical applications that Muddled Libra abuses. None of
these tools are inherently malicious and they are frequently used in the
day-to-day administration of many enterprise networks. Defenders should weigh
the risks of an outright block versus carefully monitoring their use.

Observed tools included Zoho Assist, AnyDesk, Splashtop, TeamViewer, ITarian,
FleetDeck, ASG Remote Desktop, RustDesk and ManageEngine RMM. Unit 42 recommends
organizations block by signer any RMM tools that they have not sanctioned for
use within the enterprise.

Muddled Libra has also demonstrated familiarity with cloud platforms, both
hosted and software as a service (SaaS). They will use these platforms to
establish a foothold within the organization, as these resources are unlikely to
be monitored like traditional assets and systems. Unit 42 has a separate article
with much more detail on cloud targeting.

Notably, recent attacks indicate that long-term persistence is no longer this
group’s primary objective. Instead, they’ve moved to a more traditional “encrypt
and extort” model. Targeting has broadened to include large organizations more
likely to have the capability to pay large ransoms. Once this group learns and
understands the infrastructure and software used in an industry, they tend to
target other organizations in the same vertical.


DEFENSE EVASION

Demonstrating proficiency with many security controls, Muddled Libra evaded
common defenses.

Their tactics have included the following:

 * Disabling antivirus and host-based firewalls
 * Attempting to delete firewall profiles
 * Creating defender exclusions
 * Deactivating or uninstalling EDR and other monitoring products
 * Standing up unmanaged cloud virtual machines
 * Elevating access in virtual desktop environments

Attackers also re-enabled and used existing Active Directory accounts to avoid
triggering common security information and event management (SIEM) monitoring
rules. We also observed them operating within endpoint detection and response
(EDR) administrative consoles to clear alerts. We cover this attack in detail in
our article.

Muddled Libra has been careful with operational security, consistently using
commercial virtual private network (VPN) services to obscure their geographic
location and attempt to blend in with legitimate traffic. The group preferred
Mullvad VPNin early incidents Unit 42 researchers investigated, but we also
observed multiple other vendors, such as ExpressVPN, NordVPN, Ultrasurf, Easy
VPN and ZenMate.

Unit 42 researchers have more recently observed the usage of rotating
residential proxy services as well. As reported by Brian Krebs in 2021,
residential proxy services typically hide their code inside browser extensions,
allowing operators to lease out residential connections for legitimate and
malicious use alike.

Defenders should look for multiple users authenticating from new residential IPs
over short periods.


CREDENTIAL ACCESS

Once attackers captured the credentials they would use for initial access, the
attacker took one of two paths. In one case, they continued with the
authentication process from a machine they controlled and immediately requested
a MFA code. In the other cases, they generated an endless string of MFA prompts
until the user accepted one out of fatigue or frustration (aka MFA bombing).

In cases where MFA bombing was unsuccessful, the threat actor contacted the
organization’s help desk, claiming to be the victim. They would then state that
their phone was inoperable or misplaced and would request to enroll a new,
attacker-controlled MFA authentication device.

Muddled Libra’s social engineering success is notable. Across many cases, the
group demonstrated unusually high comfort in engaging the help desk and other
employees over the phone, convincing them to engage in unsafe actions.

If targeted accounts do not have the desired access, Muddled Libra will use the
account for discovery and repeat the process until they have the access
necessary for their attack.

After establishing a foothold, Muddled Libra moves quickly to elevate access.
Standard credential-stealing tools employed in this phase included Mimikatz,
ProcDump, DCSync, Raccoon Stealer and LAPS Toolkit. When the group could not
quickly locate elevated credentials, they turned to Impacket, MIT Kerberos
Ticket Manager and NTLM Encoder/Decoder.

In some incidents, Muddled Libra employed specialized tools to search memory
contents for credentials directly using MAGNET RAM Capture and Volatility. As
these are legitimate forensics tools that Muddled Libra is abusing, defenders
should carefully consider the downsides to blocking them, including the
possibility of security team activity generating false positive alerts.

This tactic raises an important flag for defenders. Even though user accounts
might be protected through privileged access management, endpoints often have
elevated credentials cached for system management or to run services. Care
should be taken to ensure that privileged credentials only have the permissions
necessary to perform their intended functions and are closely monitored for
deviations from normal behavior.


DISCOVERY

Muddled Libra’s discovery methods were consistent from case to case. In our
investigations, the group used well-known, legitimate penetration testing tools
to map the environment and identify targets of interest. Their toolkit included
SharpHound, ADRecon, AD Explorer, Angry IP Scanner, Angry Port Scanner and
CIMplant.

Muddled Libra also proved proficient with commercial systems administration
tools such as ManageEngine, LANDESK and PDQ Inventory for discovery and
automation. They also used VMware PowerCLI and RVTools in virtual environments.

Defenders should be vigilant in identifying unsanctioned network scanning and
unusual rapid access to multiple systems or access that crosses logical business
segments.


EXECUTION

In early incidents, Muddled Libra appeared primarily interested in data and
credential theft, and we infrequently saw remote execution. However, more recent
cases included a BlackCat ransomware component. When needed, the group
accomplishes execution with Sysinternals PsExec or Impacket. We also observed
Muddled Libra using the victim’s system management tools to execute malicious
code. They used captured credentials or authentication hashes for privilege
elevation.


LATERAL MOVEMENT

Muddled Libra preferred using remote desktop protocol (RDP) connections from
compromised computers for lateral movement inside the target environment. This
approach helps to minimize discoverable external network artifacts in logs that
could alert defenders and help investigators with attribution.


COLLECTION

Muddled Libra is familiar with typical enterprise data management. They’ve
successfully located sensitive organizational data in a wide range of common
data repositories, both structured and unstructured, including the following:

 * Confluence
 * Code Management Platforms
 * Elastic
 * Microsoft Office 365 suite (e.g., SharePoint, Outlook)
 * Internal messaging platforms

They also targeted data in the victim’s environment from typical service desk
applications like Zendesk and Jira. Mined data included credentials for further
compromise and they directly targeted sensitive and confidential information.

Unit 42 researchers observed Muddled Libra using the open-source data mining
tool Snaffler and native tools to search registries, local drives and network
shares for keywords like *password*, and securestring. Threat actors then staged
compromised data and archived it for exfiltration using WinRAR or PeaZip. They
used stolen sensitive data as leverage in extortion demands.

Defenders should regularly perform keyword searches in their environments to
identify improperly stored data and credentials as part of a broader data
management and classification strategy.


EXFILTRATION

In several cases, Muddled Libra attempted to establish reverse proxy shells or
secure shell (SSH) tunnels for command and control exfiltration. We observed
them using tunneling software such as RSocx. Muddled Libra also used common file
transfer sites such as put[.]io, transfer[.]sh, wasabi[.]com, or gofile[.]io to
both exfiltrate data and pull down attack tools. We also observed the use of
Cyberduck as a file transfer agent.

Threat actors often abuse, take advantage of or subvert legitimate products such
as Cyberduck for malicious purposes. This does not necessarily imply a flaw or
malicious quality to the legitimate product being abused.


IMPACT

The early impact directly observed by Unit 42 was some combination of the theft
of sensitive data and Muddled Libra leveraging trusted organizational
infrastructure for follow-on attacks on downstream customers.

Later attacks were much more destructive, and they included the following
activities:

 * Disruption of operations
 * Damage to sensitive systems
 * Encryption of critical data
 * Enormous extortion demands


CONCLUSION AND MITIGATIONS

Muddled Libra is a methodical adversary that substantially threatens enterprise
organizations across many industries. They are proficient in a range of security
disciplines, able to thrive in relatively secure environments and execute
rapidly to complete devastating attack chains.

Muddled Libra doesn’t bring anything new to the table except for the uncanny
knack of stringing together weaknesses to disastrous effect. Defenders must
combine cutting-edge technology, comprehensive security hygiene and external
threats and internal events monitoring. The high-stakes risk of operational
disruption and loss of sensitive data is a strong incentive for modernizing
information security programs.

In addition to the mitigation recommendations included in the Attack Chain
subsections above, we recommend organizations:

 * Implement MFA and single sign-on (SSO) wherever possible – preferably Fast
   Identity Online (FIDO). In the cases we investigated, Muddled Libra was most
   successful when they convinced employees to help them bypass MFA. When they
   could not quickly establish a foothold, they appeared to move on to other
   targets.
 * Defenders should consider implementing security alerting and account lockout
   on repeated MFA failures.
 * Implement comprehensive user awareness training. Muddled Libra is heavily
   focused on social engineering help desk and other employees via phone and
   SMS. Employee training on identifying suspicious non-email-based outreach is
   critical.
 * In case of a breach, assume this threat actor knows the modern IR playbook.
   Consider setting up out-of-band response mechanisms.
 * Ensure credential hygiene is up to date. Only grant access when and for as
   long as necessary.
 * Monitoring and managing access to critical defenses and controls is essential
   to defending against skilled attackers. Rights should be restricted to only
   what is necessary for each job function. Identity threat detection and
   response (ITDR) tools such as Cortex XDR and Cortex XSIAM should be used to
   monitor for abnormal behavior.
 * Defenders should limit anonymization services allowed to connect to the
   network, ideally at the firewall by App-ID.

To defend against the threats described in this blog, Palo Alto Networks further
recommends that organizations employ the following capabilities:

 * Network security: delivered through a Next-Generation Firewall (NGFW)
   configured with machine learning enabled and best-in-class, cloud-delivered
   security services. This includes, for example, threat prevention, URL
   filtering, DNS security and a malware prevention engine capable of
   identifying and blocking malicious samples and infrastructure.
 * Endpoint security: delivered through an XDR solution that can identify
   malicious code through advanced machine learning and behavioral analytics.
   This solution should be configured to act on and block threats in real-time
   as they are identified.
 * Security automation: delivered through an XSOAR or XSIAM solution capable of
   providing SOC analysts with a comprehensive understanding of the threat
   derived by stitching together data from endpoints, network, cloud and
   identity systems.

If you think you might have been compromised or have an urgent matter, get in
touch with the Unit 42 Incident Response team or call:

 * North America Toll-Free: 866.486.4842 (866.4.UNIT42)
 * EMEA: +31.20.299.3130
 * APAC: +65.6983.8730
 * Japan: +81.50.1790.0200


INDICATORS OF COMPROMISE

IPs observed during this activity:

 * 104.247.82[.]11
 * 105.101.56[.]49
 * 105.158.12[.]236
 * 134.209.48[.]68
 * 137.220.61[.]53
 * 138.68.27[.]0
 * 146.190.44[.]66
 * 149.28.125[.]96
 * 157.245.4[.]113
 * 159.223.208[.]47
 * 159.223.238[.]0
 * 162.19.135[.]215
 * 164.92.234[.]104
 * 165.22.201[.]77
 * 167.99.221[.]10
 * 172.96.11[.]245
 * 185.56.80[.]28
 * 188.166.92[.]55
 * 193.149.129[.]177
 * 207.148.0[.]54
 * 213.226.123[.]104
 * 35.175.153[.]217
 * 45.156.85[.]140
 * 45.32.221[.]250
 * 64.227.30[.]114
 * 79.137.196[.]160
 * 92.99.114[.]231


ADDITIONAL RESOURCES

 * Muddled Libra Discussion With Unit 42 Senior Consultant Stephanie Regan –
   Threat Vector Podcast, Unit 42 on CyberWire Daily
 * Exposing Muddled Libra's Meticulous Tactics With Unit 42 Senior Researcher
   Kristopher Russo – Threat Vector Podcast, Unit 42 on CyberWire Daily
 * Muddled Libra's Evolution to the Cloud – Unit 42, Palo Alto Networks
 * Roasting 0ktapus: The phishing campaign going after Okta identity credentials
   – Group-IB
 * Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign
   Targeting Telco and BPO Companies – CrowdStrike
 * Detecting Scatter Swine: Insights into a Relentless Phishing Campaign – Okta
 * I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed
   Malware – Mandiant
 * Is Your Browser Extension a Botnet Backdoor? – Krebs on Security
 * Suspicion stalks Genesis Market’s competitors following FBI takedown – The
   Record, Recorded Future News

Updated March 19, 2024, at 6:52 a.m. PT to correct Figure 1. 

Back to top


TAGS

 * 0ktapus
 * ALPHV
 * App-ID
 * BlackCat ransomware
 * MITRE
 * Muddled Libra
 * Phishing
 * Scatter Swine
 * Scattered Spider
 * Social engineering

Threat Research Center Next: Wireshark Tutorial: Exporting Objects From a Pcap


TABLE OF CONTENTS

 * 
 * Executive Summary
 * Threat Overview
 * Attack Chain
   * Reconnaissance
   * Resource Development
   * Initial Access
   * Persistence
   * Defense Evasion
   * Credential Access
   * Discovery
   * Execution
   * Lateral Movement
   * Collection
   * Exfiltration
   * Impact
 * Conclusion and Mitigations
 * Indicators of Compromise
 * Additional Resources


RELATED ARTICLES

 * Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
 * Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform
   Sniper Dz
 * Phishing Pages Delivered Through Refresh HTTP Response Header


RELATED MALWARE RESOURCES

Threat Actor Groups

FIGHTING URSA LURING TARGETS WITH CAR FOR SALE

 * Advanced Persistent Threat
 * APT28
 * Fancy Bear

Read now
Threat Research

SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE

 * ChatGPT
 * GenAI
 * Cybersquatting

Read now
Threat Research

ACCELERATING ANALYSIS WHEN IT MATTERS

 * Remote Access Trojan
 * Memory detection
 * Redline infostealer

Read now
Threat Actor Groups

UNRAVELING SPARKLING PISCES’S TOOL SET: KLOGEXE AND FPSPY

 * MITRE
 * Keylogger
 * North Korea

Read now
Threat Research

INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT

 * Backdoor
 * RomCom

Read now
Threat Research

DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL

 * Red teaming tool
 * Pentest tool

Read now
Threat Actor Groups

GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND
MACOS BACKDOORS

 * Python
 * Cryptocurrency
 * North Korea

Read now
High Profile Threats

THREAT ASSESSMENT: NORTH KOREAN THREAT GROUPS

 * North Korea
 * Remote Access Trojan
 * Finance

Read now
Threat Actor Groups

CHINESE APT ABUSES VSCODE TO TARGET GOVERNMENT IN ASIA

 * DLL Sideloading
 * Advanced Persistent Threat
 * China

Read now
Threat Research

SPOOFED GLOBALPROTECT USED TO DELIVER UNIQUE WIKILOADER VARIANT

 * Malvertising
 * DLL Sideloading

Read now
Threat Actor Groups

FIGHTING URSA LURING TARGETS WITH CAR FOR SALE

 * Advanced Persistent Threat
 * APT28
 * Fancy Bear

Read now
Threat Research

SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE

 * ChatGPT
 * GenAI
 * Cybersquatting

Read now
Threat Research

ACCELERATING ANALYSIS WHEN IT MATTERS

 * Remote Access Trojan
 * Memory detection
 * Redline infostealer

Read now
Threat Actor Groups

UNRAVELING SPARKLING PISCES’S TOOL SET: KLOGEXE AND FPSPY

 * MITRE
 * Keylogger
 * North Korea

Read now
Threat Research

INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT

 * Backdoor
 * RomCom

Read now
Threat Research

DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL

 * Red teaming tool
 * Pentest tool

Read now
Threat Actor Groups

GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND
MACOS BACKDOORS

 * Python
 * Cryptocurrency
 * North Korea

Read now
High Profile Threats

THREAT ASSESSMENT: NORTH KOREAN THREAT GROUPS

 * North Korea
 * Remote Access Trojan
 * Finance

Read now
Threat Actor Groups

CHINESE APT ABUSES VSCODE TO TARGET GOVERNMENT IN ASIA

 * DLL Sideloading
 * Advanced Persistent Threat
 * China

Read now
Threat Research

SPOOFED GLOBALPROTECT USED TO DELIVER UNIQUE WIKILOADER VARIANT

 * Malvertising
 * DLL Sideloading

Read now
Threat Actor Groups

FIGHTING URSA LURING TARGETS WITH CAR FOR SALE

 * Advanced Persistent Threat
 * APT28
 * Fancy Bear

Read now
Threat Research

SCAM ATTACKS TAKING ADVANTAGE OF THE POPULARITY OF THE GENERATIVE AI WAVE

 * ChatGPT
 * GenAI
 * Cybersquatting

Read now
Threat Research

ACCELERATING ANALYSIS WHEN IT MATTERS

 * Remote Access Trojan
 * Memory detection
 * Redline infostealer

Read now
 * 
 * 


Get updates from Unit 42


PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY.

Your Email



Subscribe for email updates to all Unit 42 threat research.
By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.



Invalid captcha!

Subscribe



PRODUCTS AND SERVICES

 * Network Security Platform
 * CLOUD DELIVERED SECURITY SERVICES
 * Advanced Threat Prevention
 * DNS Security
 * Data Loss Prevention
 * IoT Security

 * Next-Generation Firewalls
 * Hardware Firewalls
 * Strata Cloud Manager

 * SECURE ACCESS SERVICE EDGE
 * Prisma Access
 * Prisma SD-WAN
 * Autonomous Digital Experience Management
 * Cloud Access Security Broker
 * Zero Trust Network Access

 * Code to Cloud Platform
 * Prisma Cloud
 * Cloud-Native Application Protection Platform

 * AI-Driven Security Operations Platform
 * Cortex XDR
 * Cortex XSOAR
 * Cortex Xpanse
 * Cortex XSIAM
 * External Attack Surface Protection
 * Security Automation
 * Threat Prevention, Detection & Response

 * Threat Intel and Incident Response Services
 * Proactive Assessments
 * Incident Response
 * Transform Your Security Strategy
 * Discover Threat Intelligence


COMPANY

 * About Us
 * Careers
 * Contact Us
 * Corporate Responsibility
 * Customers
 * Investor Relations
 * Location
 * Newsroom


POPULAR LINKS

 * Blog
 * Communities
 * Content Library
 * Cyberpedia
 * Event Center
 * Manage Email Preferences
 * Products A-Z
 * Product Certifications
 * Report a Vulnerability
 * Sitemap
 * Tech Docs
 * Unit 42
 * Do Not Sell or Share My Personal Information

 * Privacy
 * Trust Center
 * Terms of Use
 * Documents


Copyright © 2024 Palo Alto Networks. All Rights Reserved
 * 
 * 
 * 
 * 
 * 

EN
 * Select your language
 * USA (ENGLISH)
 * JAPAN (日本語)


Your browser does not support the video tag.


DEFAULT HEADING

Read the article
Seekbar



Volume
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. By continuing to browse this site, you acknowledge
the use of cookies. Privacy statement
Manage My Cookie Settings


Your Opt Out Preference Signal is Honored


PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All


MANAGE YOUR CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices