Research Saturday 9.2.23
Ep 297 | 9.2.23

Thwarting Muddled Libra.


 Dave Bittner: Hello, everyone, and welcome to the Cyberwire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Silence ]

Kristopher Russo: So we first started seeing cases for this pop in last fall and, while we had seen cases before, you know, that are similar with phishing and smishing and bad guys calling in, these definitely seemed a lot more targeted than cases we had seen before.

Dave Bittner: Our guests today are Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42. We're talking about their Threat Group Assessment -- Muddled Libra. [ Silence ]

Kristopher Russo: This kind of coincided with a lot of media attention and release around the Scattered Spider group, and as we worked this more we definitely started to see a link between these two groups.

Dave Bittner: Well, let's dig into who exactly we think Muddled Libra is. What do we think is behind this -- this organization?

Kristopher Russo: Sure. So, I mean, a little history back on Scattered Spider. We saw in fall of '22 the 0ktapus phishing kit release. And, you know, as I mentioned before, while smishing has certainly been around for a while, what this kit did was take smishing, creating smishing pages, and bundling those together, and making them easy for threat actors to target users with. And so we saw a huge burst of activity which was covered by a lot of media organizations targeting large clients with these smishing messages. And so what you would see is you'd see users get a text message on their personal phone, or they'd call on their personal phone, maybe about a schedule change upcoming for work or that they had to make some, you know, modifications and it would redirect them to an authentic-looking login page which would ask for their credentials and trigger a two-factor request which then they would answer and put that request in. What the victim didn't know when that happened was that was going back to a threat actor-controlled telegram group. And the threat actor was harvesting those credentials and that MFA code and using that to authenticate as the user. So this chain of events we saw happen to a large number of companies. There was a lot of consistency between how the domains were set up and how it was carried out. But a very small subsegment of those attacks seemed to be targeting business process outsourcers. And we saw several of those cases in our incident response. So we saw several of these attacks targeting business process organi -- or we saw several of these attacks processing business process outsourcers. And in these attacks, the threat actors would target organizations that had access to other organizations downstream. And as we got into the incident response, and I'll let Stephanie kind of speak to this a little bit more, we would see patterns in these attacks, whereas the business process outsourcer was targeted specifically to gather information for downstream companies.

Dave Bittner: Hmm. Stephanie, what -- what can you add here?

Stephanie Regan: Yeah, the other thing that really stood out to us in relation to these investigations was the tenacity of this threat actor. You know, when we're looking at it, we typically see a lot of threat actors -- they really have a script or methodology in mind when they're coming into the environment. They might have a couple pivots that they can take, but this is one of the threat actors that we really see that is pushing towards, kind of, that advanced level of a threat actor. They're dropping tons of different RMM tools, so your remote access tools. They're really getting in -- their hooks into wide varieties of locations within an environment. A lot of the times, threat actors are really going to gravitate towards, you know, I'm a Linux threat actor, I'm a Windows threat actor, I'm a Cloud threat actor. And a lot of the times when we were looking into these investigations, they were comfortable in all of these different platforms. They're able to pivot into SAS applications, look into your Cloud environment, and utilize exploits, and understanding the common misconfigurations that exist in the Cloud. And then they're able to look at the Windows environment, the Linux environment, and pivot through those with relative ease. And the other part that I -- was really noticeable about that is just, you know, they weren't afraid to really understand and learn about the environment and take that time. We saw a lot of data [inaudible 00:05:00] and reconnaissance around how-to documents. How to connect to xyz platform. How to reset password credentials legitimately. How to contact the help desk. And really diving into understanding how your process works so that they can mask in and hide within that realm.

Dave Bittner: You know, it strikes me that when you talk about something like the 0ktapus phishing kit, you know, these sort of malware as a service things, these commodity tools, I would imagine that that would attract a lower-level of threat actor here. You know, the -- air quotes -- script kiddies. But what you're describing here is that this organization is taking this kind of tool and -- and elevating it to the next level?

Stephanie Regan: Absolutely. And don't get me wrong -- we see the 0ktapus phishing kit being used a lot throughout the environment right now. It's very prevalent throughout all different case types that we've been working. We see them a lot on business email compromised cases, all the way up to your ransomwares. But in this specific case, with Muddled Libra and Scattered Spider, we see them utilizing that, kind of, face-level scripting. But then once they get in and once they get that access, they're definitely more sophisticated.

Kristopher Russo: And this attack type is not new. This attack type is not new. In fact, we saw a report released just this week by the Cyber Safety Review Board talking about how Lapsus$ was using very similar techniques all the way back to 2021. But what Muddled Libra brought to the table with this was this highly focused, highly proceduralized type of attack. And because of that we believe it's a relatively small, tight-knit group as opposed to Lapsus$ which kind of spanned a huge, massive channel of different levels of organization. We also saw this very targeted attack type with Muddled Libra so we know that they were definitely after and had an endgame focused primarily on compromising companies downstream of these business process outsourcers. And the ultimate target, we believe, was cryptocurrency. Right?

Dave Bittner: So before we dig into the actual process here, would -- do -- do we assume that the naming of the 0ktapus phishing kit as it's, you know, O-K -- or, I guess, zero-K-T-A-P -- I mean, is that a shot across the bow at security firm Okta?

Kristopher Russo: We do believe so, and we know that Okta was targeted during these early attacks along with several other authentication vendors.

Dave Bittner: Hmm.

Kristopher Russo: And the idea behind this kit was really to go after these MFA codes and the providers that facilitate those.

Dave Bittner: I see. Well, let's walk through it together. I mean, how -- how does somebody find themselves in Muddle Libra's targets and -- and once they do, what exactly is going on with the attack chain here?

Kristopher Russo: Yeah, so what we've seen when this happens is they do extensive research on the organization and on the victim that they're going to target. So they know what they're after. In fact, some of the attacks we've even seen knowledge of kind of obscure tools or even insider tools. So Muddled Libra will choose an organization that they want to attack. This organization typically has downstream customers of interest. These organizations tend to provide maybe outsourcing service for help desk or maybe other services for the downstream client. The Muddled Libra threat actor will target an individual. They'll find this individual's personal cell phone number. They will compromise these credentials. And once they get in they will immediately start to look to elevate access and to find the information that they're after. And this is typically documentation on downstream clients. How to operate their tools, credentials for these clients, and other data that allows them to act as this business process outsourcer in the target client's environment.

Dave Bittner: And so once they're in that target's environment, the downstream target, what do they do then?

Kristopher Russo: Well, primarily, a lot of what we saw was revolving around SIM swapping, and this is a very lucrative attack type where the attacker will move a victim's phone number that they use for multi-factor authentication to a temporary phone that the threat actor controls so that they can generate password resets and get those credentials and then access accounts, primarily cryptocurrency related, that are behind these authentication.

Stephanie Regan: Yeah, Dave, one thing I'd like to add to -- to the SIM swapping piece -- and a lot of people are historically thinking of SIM swapping as, you know, one -- cryptocurrency, two -- banking applications, and then three -- just kind of interest to the telecoms. But one of the things that I really have been seeing a lot of lately that's of interest is actually the use of SIM swapping as a credential elevation tool. So when they're really targeting your environment, when they're looking at it and they're saying, all right, you know, Dave's the admin in this account. I know I can utilize Dave for credential elevation into this environment. You know, they're going to go after your account to SIM swap and utilize that MFA code to then achieve their credential elevation within different environments. So that is something we've seen before very intermittently, but the prevalence of that, when you're having really targeted victims, is a trend that we're really keeping an eye on these days.

Dave Bittner: Hmm. Help me understand here, I -- I guess I'm -- I'm scratching my head a little bit that their ultimate goal is cryptocurrency when they have all this access, right, to multiple organizations. Is -- is industrial espionage, you know, a side hustle or where they keep their eye on the ball?

Kristopher Russo: So what we found with these threat actors, especially early on, is that they're looking for ways to monetize their access easily. And while industrial espionage is definitely great for nation-states or, you know, other folks that have a way to use that information, it doesn't provide a quick win. Cryptocurrency, on the other hand, provides a quick win. You could take a large amount of cryptocurrency, you can wash it, and convert it to cash or other products easily. So that's where this comes in. But, to your point, we've seen in recent attacks where they have started to pivot away from the cryptocurrency targets. And we believe that's because of enhanced security measures that have been put in place, as well as user awareness. And we are starting to see more of a focus towards stealing data and then extorting organizations for the return of that data.

Dave Bittner: Mm.

Kristopher Russo: We haven't seen as much success with this attack type as we have in ransomware attacks, traditionally, and we believe it's mostly experience based. So we expect that to continue to grow.

Dave Bittner: Yeah, that's fascinating. I mean, I -- I guess in my mind am I overestimating the -- the amount of effort that goes into the initial access and then pivoting to the other groups? I -- I guess it seems like a lot of work to what, in my mind, would seem like a smash and grab to go after cryptocurrency. So is that my own misunderstanding?

Kristopher Russo: Well, I mean, definitely what we've seen in these attacks -- there is a lot of traditional red teaming attack-style type with these attackers. So we do believe that these attackers have studied penetration testing, that they are comfortable with the penetration testing rule book and so, you know, during that, that doesn't really give them a lot of opportunity to be creative in their attacks. So they go in, they're looking for credentials. They're looking for protected systems and they're looking to use those credentials immediately. So, if anything, I think probably what we see is a lack of experience playing in here, that these are not necessarily hardened cyber criminals, but they have gotten together and designed the playback that, you know, at least for a while has worked very well for them. Even though it seems complex from the outside looking in, it's a fairly straightforward advancement of compromise organization, use those credentials to compromise downstream organization, and then feed into an existing SIM swapping infrastructure that is already widely used in order to monetize cryptocurrency payments.

Stephanie Regan: Yeah. And I think -- I think Kris is hitting it on the head there with, you know, they're willing to put in effort on some of these organizations like business process outsourcing and similar companies where the effort is going to be returned in the furtherance and the spread and access to a disparate number of individual targets that might actually be very fruitful and maybe easier in relation to how to monetize that. So they're putting a lot of effort in into places where, you know, yes, this is one entity, one company, maybe only one specific target in, you know, being able to add their ability to do -- you know, perform SIM swaps. But then once they do that, once they have that piece, now they might have access to another twenty, thirty, or another tool to add to their tool kit that can end up allowing them to leverage other pieces and extremely expand upon what their victimology can be.

Dave Bittner: Hmm.

Kristopher Russo: And I think part of this is because a lot of large cryptocurrency holders are relatively security savvy, so they're not going to fall for a phish directly to them to provide their credentials. So these threat actors really have to find a roundabout way to get to these credentials without actually contacting the end victim. [ Music ] [ Music ]

Dave Bittner: Stephanie, I -- I'm curious what this looks like from an incident response position because it -- you know, it strikes me when -- you have a lot of organizations who have been touched here. How do you approach that side of things?

Stephanie Regan: Yeah. As far as the investigation goes, I mean, really getting a thorough understanding of where they're at, where they have hooks in, what their persistence mechanisms are and very quickly are -- is going to be the priority. A lot of times what we're seeing is, in these big, complex environments, when they don't have IR playbooks in play already and they don't critical action plans, you know, things like global resets when you have a thousand, two thousand, even, you know, tens of thousands of employees, tends to be very difficult. You know, things like sessions, certificates, tokens -- all of those things need to be able to be reset in a global manner very quickly or it's going to be a whack-a-mole throughout these environments. So that's one of the things that we really look to of, you know, elevating our -- our current customers. You know, we have a whole proactive service line, and that's one of the things we really emphasize in being able to take those proactive measures to have that incident response playbook in hand where, you know, when you have a mature threat actor like this in your environment, you're going to have to take those things very quickly. You know, having access to user behavior logs. You know, can you actually see unusual logins and possible travel? MFA device enrollments because one of the things that they're going to do is continuously add and change where those MFAs are being redirected. Can you spot those things very easily and very quickly? You know, having awareness training with your users is extremely advantageous. You know, do users understand what phish -- phishing looks like, and smishing looks like these days? And the sophistication that that has brough, especially with this 0ktapus phishing kit, in relation to, you know, we used to be able to tell with typos and, you know, misnomers and weird language and things like that. It used to be really easy to spot a phish, and it's becoming less and less so. You know, things like the help desk. We're seeing a lot of, you know, calls to the help desk. They sound very legitimate. They've done reconnaissance so they're able to know, all right, I need to know the supervisor name. I need to know where I'm at in the chain of command and which business unit I'm a part of and maybe my personal email. You know, they already are able to collect those things so when they call the help desk they already have it. So taking things that we see and -- and really securing those mechanisms and really thinking hard about -- where's that data? If a basic user in your environment has an email compromise, can all of the help desk information that they might need be readily available at their fingertips to be able to reset all users within the account. I think, you know, supervisor is one of those common ones. If you just have to do a supervisor name, a lot of organizations within their email platforms, you can just see who the chain of command is and where they might actually sit and what name they might need to provide. So in relation to that, too, we see a lot of initial access broker usage as well, and things like dark web monitoring. You know, if you have creden -- credentials that are sitting out there in -- in the world and in the environment that can be readily used by different threat actors, do you have a way of knowing that already, and remediating those things quickly? A lot of the interesting pieces that we've also seen is these threat actors are not afraid of EDR and XDR type tools. We've seen them utilize EDR tools as far as actually dropping them into the environment and using them as lateral movement vectors, but also utilizing your own security stack as a lateral movement piece. A lot of people forget that their EDR tools can do things like live terminal into a remote box. This was one of my -- to me, one of the more interesting things that I saw them doing was, once they were able to get an admin credential, they were logging into the EDR tools. They're looking at what those EDR tools are being used for in the environment. Can they use them for reconnaissance and things like that? But, also, they can be used for lateral movement through that live terminal access capability. You know, does every person that uses your EDR tool in your environment need lateral movement? Most of them can have that lateral movement capability within your security tool disabled for all but that small subset of users that need it. Another interesting piece that we've been seeing with these -- with this threat actor is they love to monitor the IT tickets, love to monitor the internal chat platform. You know, all of those different areas that we think we, as responders, are kind of safely using to be able to remediate the activity is something that they're keeping eyes on. So if you're using, you know, one particular chat platform to -- for your normal course -- course of business and that's what you would use to talk about, hey, we need to go lock down this server, we need to clear these persistent mechanisms out of the environment, you know, they may have eyes on that. So getting outside of our normal bands of communication and having a backup plan for those types of things. How can we communicate between our IT teams and take the actions necessary without always tipping off the threat actor and saying, hey, you know, we're moving over here. We're -- you're going to lose your persistence mechanism so make sure you go make another one, and things like that. So a lot of different things here. Obviously, in multi-factor authentication, while they have ways to get around that, that is an absolute must in here as well to be able to kind of secure and kick out the threat actors.

Dave Bittner: Hmm. Well, based on the information that you've gathered here, I mean, well, what are your recommendations for organizations to best protect themselves? And, Stephanie, you touched on a -- on a number of them. But any specific advice here?

Kristopher Russo: Well, first of all, get rid of SMS.

Dave Bittner: Yeah.

Kristopher Russo: Community has been saying for years that SMS is not a safe way to do two-factor authentication. So it has kind of moved to hardware keys or to some sort of in app authentication method. And that will cut down at least on the SIM swapping angle of this attack.

Stephanie Regan: Absolutely. I -- from that last conversation, the ones I really want to emphasize is that, you know, incident response playbook. You cannot figure out a way to respond to these actors when you're flying the plane. So, you know, having that plan, especially that one for the -- the global password session, certificate, token resets. I see a lot of larger organizations really struggling for that, and that's an area that you can really elevate your ability to respond. And awareness training. You know, again, needing to make sure users, help desk, IT personnel are very keenly aware of the new mechanisms in play and how sophisticated things have become is just crucial. Hardening management assets. You know, targeting those XDR/EDR tools, your VMware, your remote access tooling, anything that's able to kind of take security administration actions within your environment is critically essential. You know, knowing what remote access tools are in the environment and what you can block is going to be extremely powerful when they go in and they -- and a threat actor tries to drop seven other remote access tools. If you're blocking them, the threat becomes very low. And just overall asset posturing, too. I think something I didn't talk about is, you know, utilizing things like device certificates, custom registry keys, you know, existence of EDR tools, all of those different kind of factors as HIP checks for VPNs and securing that VPN and any remote connections, especially with our disparate work forces these days, you know, is extremely useful in being able to help prevent and protect against these. But going back to that passive reset, token, and certificate reset, all of those things that you're using in the HIP check if they know they are trying to compromise your environment and are able to identify those things, they're going to go after them. So if we put them in place, how can we change them? How can we change them and know they're only being implemented into our infrastructure, and not, hey, we're resetting all certificates, but that certificate is getting pushed to a threat actor endpoint and things like that, are all mechanisms that we need to be thinking about and elevating ourselves with how we can respond and protect ourselves even beforehand.

Dave Bittner: You know, this research really strikes me as -- as almost a case study, like a greatest hits of -- of things, you know, you need to be looking out for. I -- I -- I could imagine using this as the foundation for a presentation to a board of directors or -- or another group who -- who needs to see the breadth of -- of what folks in the security side are up against here and this really touches on so many different areas.

Stephanie Regan: Yeah. Absolutely. I think one of those areas that we, as security providers, also always are really struggling with is, you know, how do we get that C-suite and above onboard with what we need and what we're seeing in the environment? This is a great threat actor group and both publication, research, case study, to be able to use and kind of lean on in relation to, you know, these are the things that they're seeing. These are the things that we don't need to just have one layer of protection for. We have to actually have that depth and breadth security and response mechanisms. So it is a great one to -- to take some bullet points away and really use as a -- a flag in the sand of hey, looky here. These are some actions that we could take and this is the reason why, because it is actively being utilized in the threat landscape today, and very prolifically.

Kristopher Russo: I think the bottom line is groups like Muddled Libra are not using super advanced techniques or, you know, the latest and greatest tools. What they're using is a targeting and a knowledge of, oftentimes, your weakest security link. And that's the human. So if there's a takeaway, it is to definitely help strengthen your human element, to make sure that your employees know what to look for when they're being attacked, and ensuring on the back end that you're monitoring for unusual behavior in your environment from employees that wouldn't normally do that, and then responding immediately and quickly, ideally with automation. 

Dave Bittner: Our thanks to Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 for joining us. We'll have a link to their Threat Group Assessment on Muddled Libra in our shownotes. [ Music ] [ Music ] The Cyberwire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Elliott Peltzman. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.