Threat Vector 8.24.23
Ep 3 | 8.24.23

Exposing Muddled Libra's meticulous tactics with Incident Responder Stephanie Regan


Stephanie Ragan: It's not always possible from an investigative side to be able to tell whether AI is used, and honestly, it's not always our goal. We're really focused on ejecting the threat actor from the environment and getting our clients back up and running.

David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. In today's episode, I'm going to talk with Stephanie Ragan, a Senior Consultant with Unit 42. Stephanie started her career in law enforcement and now specializes in compromised assessment and incident response. In our last episode, I spoke with Chris Russo, a Senior Threat Researcher with Unit 42 focused on ransomware and cybercrime, about Muddled Libra. Chris painted a picture of a determined and dangerous adversary. Today I want to talk with Stephanie to hear her insights and advice when it comes to responding to an attack from Muddled Libra and groups like them. To kick us off, can you share the number of matters that you've been involved with when it comes to Muddled Libra?

Stephanie Ragan: Yeah, my numbers are likely a little higher since we're not always confident on attribution. However, I've worked definitely at least a half dozen cases with Muddled Libra.

David Moulton: And can you share a detail or an insight from a matter that really sticks out to you?

Stephanie Ragan: One of the things that really sticks out to me about Muddled Libra cases has been the reconnaissance portion of the investigation. A lot of the times we see threat actors doing a really light reconnaissance, trying to figure out where they're at in the environment and how they can navigate. I've seen them deep-dive the how-to and the technical docs. They're really trying to get a really deep understanding of the environment and how to connect and change their level of persistence as well as further their access into the environment.

David Moulton: So Chris mentioned that this group is prolific when it comes to use of phishing kits and social engineering. What are some of the ways that you've seen success in combating these approaches?

Stephanie Ragan: These approaches are really successful because it's focused on that human factor. People are focused on their jobs, getting their jobs accomplished. MFA is a huge must, and moving towards more secure methods of MFA, getting away from using SMS for our multifactor authentication, really thinking about, where is your data stored when it comes to help desk information. We've seen phishing and spoofing of help desk personnel, so really thinking critically about where is the information that the user might use to reset their password through the help desk. One of the things that we've talked about that they use a lot of is domain typo squatting and also buying access from initial access brokers. Things like dark web and domain monitoring can also help in these situations to help you know quickly when credentials might be available on the dark web or when you have certain things like mistyped domains and slightly misconfigured domain URLs that have been developed and are created that spoof your sites.

David Moulton: Stephanie, tell our listeners what it takes to help a client recover from one of these attacks.

Stephanie Ragan: Especially with a Muddled Libra attack, I think moving quickly to understand the level of persistence that has been able to be attained at the time of detection is really important. IR playbooks are essential, knowing the actions that you're going to need to take before you're in the emergency environment. Password resets, asset resets, those have to have a plan around them, because when you're in large environments and you're trying to reset passwords for thousands of users, that's very difficult. It's going to be a kind of that whack-a-mole game to keep kicking them out of one account, but they can use another one to get right back in. Another crucial piece with Muddled Libra and many threat actors today is getting to out-of-band comms very quickly as well. A lot of threat actors, including Muddled Libra, like to sit on and listen to whatever your chat platform of choice is and trying to understand what actions the IT team and maybe the investigators are taking, getting out of band, and being able to really coordinate your approach quickly to get your environment reset is very important.

David Moulton: Final question for you. Do you expect that there'll be copycat groups out there that take Muddled Libra's playbook and use it, expand on it?

Stephanie Ragan: I think that the idea of copycats is an interesting one in this era of cyber. Being able to see the success of Muddled Libra and other groups like them and have enough information about them to be able to copy, definitely I can see people doing that. However, one of the things to keep in mind is that we hear a lot about like RaaS, ransomware as a service, initial access brokers, and things like that. So we're seeing a lot of blending of TTPs, IOCs, indicators, but also, as far as that goes, things that look like the same threat actor that might be slightly different because they're sharing resources and have really become this complex marketplace today.

David Moulton: Stephanie, thanks for joining me today on "Threat Vector" and for sharing your insights and experience defending against Muddled Libra. If you're interested in reading more about this threat actor group, visit the Unit 42 Threat Research Center and look for the threat group assessment on Muddled Libra. We'll be back on the CyberWire Daily in two weeks. Until then, stay secure. Stay vigilant. Goodbye for now.