Chaotic Libra turns focus to SaaS and cloud for ransomware and data theft attacks

ReportApril 15, 2024Editorial DepartmentCloud Security/SaaS Security

Threat actors are called Confused Libra The group has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments to steal sensitive data.

“Organizations typically store various data in SaaS applications and use CSP services,” Palo Alto Networks Unit 42 said in a report released last week.

“Threat actors are already trying to exploit some of this data to assist in the progression of their attacks and for use in ransomware when trying to monetize their efforts.”

Muddled Libra, also known as Starfraud, UNC3944, Scatter Swine and Scattered Spider, is a notorious cybercriminal organization that uses sophisticated social engineering techniques to gain initial access to target networks.

“Dispersion Spider threat actors have historically evaded detection by target networks by using terrestrial techniques and allowed-listed applications to navigate victim networks and frequently modifying their TTPs,” the U.S. government said in an advisory late last year.

Attackers have also profited from gaining access to victim networks in a variety of ways, including extortion through ransomware and data theft.

Unit 42 previously told The Hacker News that the moniker “Muddled Libra” comes from the “confusing chaotic landscape” associated with the 0ktapus phishing kit, which has been used by other threat actors to launch credential harvesting attacks .

A key aspect of the evolution of threat actor tactics is the use of reconnaissance techniques to identify target administrative users while impersonating help desk staff to obtain passwords over the phone.

The reconnaissance phase also extends to Muddled Libra, which conducts extensive research to find information about the applications and cloud service providers used by the target organization.

Security researcher Margaret Zimmermann explained: “In the Okta cross-tenant simulated attack that occurred in late July and early August 2023, Muddled Libra bypassed IAM restrictions and demonstrated how the organization leveraged Okta to access SaaS applications and the organization’s various CSP environments. .

The information gained at this stage can serve as a stepping stone for lateral movement and abuse of administrative credentials to access single sign-on (SSO) portals for rapid access to SaaS applications and cloud infrastructure.

If SSO is not integrated into the target’s CSP, Muddled Libra conducts an extensive discovery campaign to uncover CSP credentials that may be stored in insecure locations to achieve its objectives.

Data stored by the SaaS application is also used to gather detailed information about the compromised environment, capturing as many credentials as possible to expand the scope of the breach through privilege escalation and lateral movement.

“A large part of Muddled Libra’s activities involves gathering intelligence and data,” Zimmerman said.

“The attackers then exploit this to generate new vectors for lateral movement within the environment. Organizations store a variety of data within their unique CSP environments, making these centralized locations prime targets for Muddled Libra.”

Specifically for Amazon Web Services (AWS) and Microsoft Azure, these operations extract relevant information for services such as AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob storage, and Azure files. material.

Data exfiltration to external entities occurs through the abuse of legitimate CSP services and functions. This includes tools such as AWS DataSync, AWS Transfer, and a technology called snapshots, which can move stolen data out of an Azure environment by temporarily storing it in a virtual machine.

The chaotic Libra tactical shift requires organizations to secure their identity portals with strong secondary authentication protections such as hardware tokens or biometrics.

“By extending the strategy to include SaaS applications and cloud environments, the evolution of Muddled Libra’s approach demonstrates the diversity of cyberattacks in the modern threat environment,” Zimmermann concluded. “Exploiting cloud environments to collect large amounts of information and quickly leak it to defenses brought new challenges.”