A threat actor known as Messy Libra targeting the business process outsourcing (BPO) industry with persistent attacks leveraging advanced social engineering tactics to gain early access.
“The attack style that defined Muddled Libra hit the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offers a prebuilt hosting framework and bundled templates,” Palo Alto Networks Unit 42 said in technical reports.
Libras are naming provided by a cybersecurity company to a cybercrime group. The “chaotic” moniker for the threat actor stems from the prevailing ambiguity with respect to the use of the 0ktapus framework.
0ktapus, also known as Scatter Swine, refers to a collection of intrusions that were first revealed in August 2022 in connection with smishing attacks against more than 100 organizations, including Twilio and Cloudflare.
Then in late 2022, CrowdStrike detailed a series of cyber attacks aimed at telecom companies and BPOs since at least June 2022 through a combination of credential phishing and SIM swap attacks. This cluster was traced under the names Roasted 0ktapus, Scattered Spider, and UNC3944.
“Unit 42 decided to name it Muddled Libra because of the confusing chaotic landscape associated with the 0ktapus phishing kit,” senior threat researcher Kristopher Russo told The Hacker News.
“As this kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone does not necessarily classify the threat actor as a so-called Unit 42 Muddled Libra.”
Group e-crime attacks start with the use of smishing and 0ktapus phishing kits to establish early access and usually end with data theft and long-term persistence.
Another unique feature is the use of compromised infrastructure and stolen data in downstream attacks on the victim’s customers, and in some cases even targeting the same victim repeatedly to refill their data set.
Unit 42, which investigated more than half a dozen tumultuous Libra incidents between June 2022 and early 2023, characterizes the group as persistent and “methodical in pursuing their goals and very flexible with their attack strategy”, quickly changing tactics when faced with obstacles. road.
In addition to supporting various legitimate remote management tools to maintain persistent access, Muddled Libra has been known to tamper with endpoint security solutions to evade defenses and abuse multi-factor authentication (MFA) notification fatigue tactics to steal credentials.
Threat actors have also been observed gathering lists of employees, job roles, and cell phone numbers to carry out quick and easy bomb attacks. If this approach fails, the Libra Chaos actor contacts the help desk of the organization impersonating the victim to register a new MFA device under their control.
“Libra’s chaotic social engineering success is noteworthy,” the researchers said. “In many of our cases, the group demonstrated an unusually high level of comfort by engaging support staff and other employees over the phone, convincing them to engage in unsafe conduct.”
Also used in the attack were credential stealing tools such as Mimikatz and Raccoon Stealer to enhance access as well as other scanners to facilitate network discovery and ultimately extract data from Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms.
Unit 42 theorized phishing kit creator 0ktapus did not have the same advanced capabilities as Libra Muddled, adding there was no definitive link between the actor and UNC3944 despite the overlapping trades.
“At the crossroads of devious social engineering and agile technological adaptation stands chaotic Libra,” the researchers said. “They are proficient in multiple security disciplines, able to thrive in relatively secure environments and execute swiftly to complete devastating attack chains.”
“With deep knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defense.”