Threat Vector 8.10.23
Ep 2 | 8.10.23

Exposing Muddled Libra's meticulous tactics with senior researcher Kristopher Russo


Kristopher Russo: Your biggest threat is probably not nation states, or APTs or whatever the latest zero-day vulnerability is. Your biggest threat is likely a highly motivated and determined attacker. One that knows where you keep your organization's crown jewels.

David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership, for Unit 42.

David Moulton: Today's episode is Part 1 of the story about Muddled Libra, a methodical group that poses significant threat to industries like telecommunication, technology and software animation. Today's guest is Kristopher Russo. Kris is a Senior Threat Researcher, with Unit 42. Talk to our guests a little bit about how you got into cybersecurity.

Kristopher Russo: Sure. So, I've been doing cybersecurity for many years now, and really what drew me to it was this insatiable appetite for just ruining bad guys' days. I love technology, and I love the way it can be used to improve people's lives, and at the same time, we've seen people take those same technologies, and use them to hurt people and destroy those lives. And so really, what I am here for, is to help put a stop to that.

David Moulton: Kris, in mid-June, you were the lead author on a threat group assessment for Unit 42 on the threat actor group, Muddled Libra. For listeners not familiar with Muddled Libra, can you give us a snapshot of the group, and maybe actually how it is different than Scattered Spider?

Kristopher Russo: Yeah, and most of my listeners have probably heard about Scattered Spider, or Scattered Swine, or Octopus, as they've been known. The commonality which binds all of these threat groups together is the use of the Octopus Phishing Kit. The Octopus Phishing Kit is a one-stop shop for quickly and easily constructing smishing pages, used to steal OTP codes from victims. What we found is that there are a number of actors using that phishing kit, and they've all been grouped together, and I think it's important to carve out what is arguably the most dangerous of those groups. We defined Muddled Libra as having several hallmarks unique to them, and these include the focus on outsourcing firms for attack, particularly with firms that have access to downstream, high-value cryptocurrency holders. We see them use legitimate persistence tools by trusted vendors to kind of fly under the radar in the environment, and probably most importantly, the type of data that they're after is very specific, and they are very thorough in finding it.

David Moulton: Can you share what defenders should be on the lookout for with Muddled Libra?

Kristopher Russo: First and foremost, the hallmark of this threat actor is the use of the Octopus Phishing Kit. And they use that to create lookalike authentication pages, and then contact victims to socially engineer them into going to these pages, and divulging their credentials. So we see the favorite lures of this group impersonating the organization's Help Desk, or warning the victim of work schedule changes. Anything kind of high priority, to get the victim to click through, and go to this phishing page. Once authenticated, this attacker will look to establish persistence in the environment by using commercial remote management tools. Now, what's unique with this threat actor is they'll often use many of these tools in one environment, to make sure that if one is identified, they can still maintain that persistence. After establishing a beach head, this attack will use standard penetration testing techniques and tools to elevate their access, explore the network, move laterally, and identify the information that they're after. This is likely where defenders will notice the activity. There is also an opportunity to find this activity when seeing large transfers via SSH out of the environment, or unusual transfers to commercial data-sharing websites.

David Moulton: In your article, you and your co-authors detailed an extensive number of conclusions and mitigations. What I want to hear from you about is the most urgent recommendations you would share.

Kristopher Russo: First of all, know your environment and know your users, so that you can see when anomalies happen in your environment. There are lots of good ways and good tools to do this, but what is important is that you can identify things that are abnormal. Train your users and your Help Desk to be on the lookout for unusual requests for authentication, for modification of MFA safeguards that could be adding a new mobile phone, or unenrolling an application. Use intelligent security automation that monitors and remediates anomalies on the fly in the environment to detect attacks early and stop them before damage can be done. And finally, practice good security hygiene, by identifying where your important data is in your environment, and protecting that sensitive data with additional controls, and making sure that only the folks that need access to it can access it.

David Moulton: Kris, thanks for joining me today on Threat Vector, and for talking about the threat group assessment research that you've done on Muddled Libra. We will be back on the Cyberwire Daily in two weeks, with the second part of our look at Muddled Libra, with Stephanie Reagan. Stephanie will share her insights and advise for fellow incident responders working to defend against Muddled Libra, and attackers like them. Until then, stay secure, stay vigilant, goodbye for now.