Muddled Libra’s Exploitation of Cloud Services and Identity Portals

Continued expansion of threat activity associated with the Muddled Libra, threat group reveals their ability to compromise software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. Unit 42 researchers tracking this advanced social engineering threat group, have uncovered tactics, techniques, and procedures (TTPs) of the threat actors observing their ability to exploit identity providers such as Okta to orchestrate cross-tenant impersonation attacks. These activities, particularly notable between late July and early August 2023, involved bypassing IAM restrictions to access software-as-a-service (SaaS) applications and broader cloud service provider (CSP) environments. Muddled Libra's strategy includes compromising technology administrator accounts through refined help desk social engineering tactics. "Muddled Libra also performs extensive research to uncover information about what applications are deployed and what CSPs an organization uses," which demonstrated their methodical approach to escalating privileges and expanding their attack surface within targeted organizations. Muddled Libra's understanding of effective social engineering schemes enables the threat actors to target IT support desks to manipulate account access. This capability to manipulate and navigate through an organization’s Okta Identity Portal has enabled them to access and potentially manipulate sensitive data across various platforms.

Specifically, as it pertains to cloud infrastructure understanding Muddled Libra’s attack patterns on platforms like AWS and Azure is crucial. Observation of Muddled Libra's attack in AWS environments from Unit 42, identified the threat actors engaging in in comprehensive reconnaissance, utilizing API calls such as ListUsers, ListGroups, ListRoles, ListSSHPublicKeys, GetSecretValue, and others to map out the environment and identify assets or data of interest. Their tactics include probing through IAM details to understand user roles and permissions, sifting through S3 buckets for valuable data, and utilizing AWS Secrets Manager to retrieve credentials that facilitate lateral movements and further system compromises. Such meticulous intelligence gathering allows them to structure their attacks more effectively, leading to data exfiltration using AWS-native functionalities including the AWS DataSync and AWS Transfer services.

Similarly, in Azure environments, Muddled Libra employs a methodical approach. They target storage account access keys and scrutinize resource groups to pinpoint critical data repositories. Through exploiting Azure Blob Storage and Azure Files, they access and exfiltrate valuable organizational data. Their operations in Azure also involve the creation of snapshots and the manipulation of virtual machine functionalities to stage and exfiltrate data stealthily. Muddled Libra's familiarity with multiple CSPs and SaaS applications exemplifies their deep technical acumen and emphasizes the importance for defenders to understand their attack capabilities.

Unit 42's ongoing analysis establishes Muddled Libra as a formidable cyber threat group that skillfully combines sophisticated social engineering with high-level technical acumen to exploit SaaS applications and cloud environments like AWS and Azure. Their strategic impersonation attacks, such as the bypassing of IAM restrictions via compromised Okta accounts, underscore their methodical approach. Prior reporting from Unit 42 discovered the expansive scope of their campaign targeting organizations in the financial, hospitality, and technology sectors. Coupled with the group's adaptability in overcoming defensive measures—evidenced by their use of over 200 realistic fake authentication portals and deep understanding of incident response protocols—highlights their capability to maintain presence within compromised environments. Muddled Libra has been tracked as its own distinct entity, separating itself from other groups with potential overlaps such as 0ktapus, Scattered Spider, and Scatter Swine.