A dangerous actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with frequent attacks that leverage advanced social engineering tricks to gain early access.
“The attack style that defines Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offers a prebuilt hosting framework and bundled templates,” Palo Alto Networks Unit 42 said in a technical report.
Libra is the designation given to cybercrime groups by the cyber security company. The “entangled” nickname for the threat actor stems from the prevailing ambiguity regarding the use of the 0ktapus framework.
0ktapus, also known as Scatter Swine, refers to an intrusion set that first came to light in August 2022 in connection with attacks against more than 100 organizations including Twilio and Cloudflare.
Then in late 2022, CrowdStrike detailed a series of cyber attacks targeting telecom and BPO companies from at least June 2022 through a combination of credential phishing and SIM swapping attacks. This cluster is being tracked under the names Roasted 0ktapus, Scattered Spider and UNC3944.
“Unit 42 decided to keep the name Muddled Libra because of the confusing landscape associated with the 0ktapus phishing kit,” senior threat researcher Christopher Russo told The Hacker News.
“Since the kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone will not necessarily classify a threat actor as a Unit 42 Muddled Libra.”
Attacks by e-crime groups begin with the use of Smishing and 0ktapus phishing kits to establish initial access and typically end with data theft and long-term persistence.
Another unique detection is using compromised infrastructure and stolen data in downstream attacks on the victim’s customers, and in some cases, even repeatedly targeting the same victims to replenish their datasets.
Unit 42, which investigated more than half a dozen entangled Tula incidents between June 2022 and early 2023, described the group as stubborn and “systematic in achieving their goals and highly flexible with their attack strategies”. Rapidly changing strategy when faced with obstacles.
In addition to supporting a wide range of legitimate remote management devices to maintain consistent access, Muddle Libra is designed to protect against tampering with endpoint security solutions and the Multi-Factor Authentication (MFA) notification fatigue strategy to steal credentials. Has been done Known for abuse. Threat actors have also been observed collecting lists of employees, job roles, and cellular phone numbers in order to execute the bombings. Should this approach fail, Muddled Libra actors contact the organization’s help desk posing as victims to enroll a new MFA device under their control.
“The social engineering success of Muddled Libra is remarkable,” the researchers said. “In several of our cases, the group demonstrated an unusually high level of spontaneity, involving the help desk and other staff on the phone, and persuading them to engage in unsafe actions.”
Attacks also include credential-stealing tools such as Mimikatz and Raccoon Stealer, which increase access, as well as other scanners to facilitate network discovery and eventually access Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms provide.
Unit 42 theorizes that the makers of 0ktapus fishing kits do not have the same advanced capabilities as Muddled Libra, adding that there is no definite connection between the actor and UNC3944, despite tradecraft overlap. “Muddled Libra stands at the intersection of devious social engineering and nimble technology adaptation,” the researchers said. “They are proficient in a range of security disciplines, able to thrive in relatively secure environments and capable of rapidly carrying out destructive attack chains.”
“With deep knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber security.”
