The cybercriminal group known as Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered Spider, has been actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments to exfiltrate sensitive data. They use sophisticated social engineering techniques to gain initial access to target networks and have a history of evading detection by using living off the land techniques. The attackers monetize access to victim networks through extortion enabled by ransomware and data theft.
Muddled Libra conducts thorough reconnaissance to identify administrative users to target, often posing as helpdesk staff to obtain passwords. They exploit vulnerabilities in tools like the 0ktapus phishing kit and Okta to access SaaS applications and CSP environments. The attackers use the information obtained during reconnaissance to conduct lateral movement within the victim’s environment, abusing admin credentials to access SSO portals and gain quick access to SaaS applications and cloud infrastructure.
If SSO is not integrated into the target’s CSP, Muddled Libra undertakes broad discovery activities to uncover CSP credentials stored in unsecured locations. They also gather intelligence and data stored within SaaS applications to widen the scope of the breach through privilege escalation and lateral movement. The group specifically targets services like AWS IAM, Amazon S3, Azure storage account access keys, and Azure Blob Storage to extract relevant data.
Data exfiltration to an external entity is achieved by abusing legitimate CSP services and features, such as AWS DataSync, AWS Transfer, and snapshot techniques. Organizations are advised to secure their identity portals with robust secondary authentication protections like hardware tokens or biometrics to defend against these evolving tactics. The use of cloud environments by Muddled Libra poses new challenges to defenders in the modern threat landscape.
The evolution of Muddled Libra’s methodology demonstrates the multidimensionality of cyberattacks in the current threat landscape. By targeting SaaS applications and cloud environments, the group is able to gather large amounts of information quickly and exfiltrate it, presenting new challenges for defenders in the cybersecurity space.
Source link