A recent report from Palo Alto Networks Unit 42 reveals the activities of the Muddled Libra Cybercrower Group, targeting companies in the cloud computing and cloud service provider industry in an attempt to steal sensitive information.
The attackers are focusing on extracting data from Software-as-a-Service (SaaS) and Cloud Service Provider (CSP) platforms, utilizing the stolen information for further cyber attacks and extortion. The group employs sophisticated social engineering techniques to infiltrate the networks of their targets.
Muddled Libra is adept at evading detection by continuously adapting their methods and control techniques to suit different victim networks. Their tactics include data theft and extortion, with a particular focus on targeting administrative users to obtain passwords disguised as technical support.
One notable aspect of Muddled Libra’s tactics is their intelligence gathering efforts, which involve a detailed analysis of organizations’ applications and cloud services. Last year, the group managed to bypass Identity and Access Management (IAM) restrictions to access the OKTA service, allowing them to penetrate various organizations’ SaaS applications and cloud infrastructure.
If an organization’s cloud platform does not support Single Sign-On (SSO) integration, Muddled Libra will diligently search for CSP account data, often stored in vulnerable locations. Their ultimate goal is to gain access to key cloud services such as Amazon Web Services (AWS) and Microsoft Azure.
By leveraging CSP services like AWS Datasync and AWS Transfer, as well as utilizing techniques like creating snapshots to move data within Azure, Muddled Libra efficiently collects valuable information from their targets.
To mitigate the risks posed by groups like Muddled Libra, organizations are advised to implement additional authentication measures such as hardware tokens or biometrics to enhance security on their cloud platforms.