The menacing actor known as Confused Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in an attempt to exfiltrate sensitive data.
“Organizations often store a variety of data in SaaS applications and use services from CSPs,” Palo Alto Networks Unit 42 said in a report released last week.
“Threat actors have begun attempting to exploit some of this data to assist in attack progression and to use it for extortion purposes when trying to monetize their work.”
Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered Spider, is a notorious cybercriminal group that has leveraged sophisticated social engineering techniques to gain initial access to targeted networks.
“Scattered Spider threat actors have historically evaded detection on target networks by using land-exploit techniques and permitted applications to navigate victim networks, as well as frequently modifying their TTPs,” the US government said in an advisory late last year.
Attackers also have a history of monetizing access to victims’ networks in numerous ways, including ransomware-enabled extortion and data theft.
Unit 42 previously told The Hacker News that the nickname “Muddled Libra” comes from the “muddled and confusing landscape” associated with the 0ktapus phishing kit, which has been used by other threat actors to mount credential harvesting attacks.
A key aspect of the threat actor’s tactical evolution is the use of reconnaissance techniques to identify administrative users to target when they pose as helpdesk staff and use phone calls to obtain their passwords.
The reconnaissance phase also extends to Muddled Libra, which performs extensive research to find information about the applications and cloud providers used by target organizations.
“The Okta cross-tenant impersonation attacks from late July to early August 2023, in which Muddled Libra bypassed IAM restrictions, show how the group leverages Okta to access a company’s SaaS applications and various CSP environments organization,” explained security researcher Margaret Zimmermann.
The information obtained in this phase serves as a springboard to drive lateral movement, abusing administrator credentials to access Single Sign-On (SSO) portals to gain quick access to SaaS applications and cloud infrastructure.
In the event that SSO is not integrated into a target’s CSP, Muddled Libra undertakes extensive discovery efforts to uncover CSP credentials, likely stored in unsecured locations, to achieve its goals.
Data stored with SaaS applications is also used to gather details about the infected environment, capturing as many credentials as possible to broaden the scope of the breach through privilege escalation and lateral movement.
“Much of Muddled Libra’s campaigns involve gathering information and data,” Zimmermann said.
“Attackers then use it to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra.”
These actions specifically target Amazon Web Services (AWS) and Microsoft Azure, targeting services such as AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure Storage Account Access Keys, Azure Blob Storage, and Azure Files to extract the relevant data.
Data exfiltration to an external entity is achieved by abusing legitimate CSP services and features. This includes tools like AWS DataSync, AWS Transfer, and a technique called snapshots, the latter of which allows you to move data out of an Azure environment by staging the stolen data in a virtual machine.
Confused Libra’s tactical shift requires organizations to secure their identity portals with robust secondary authentication protections such as hardware tokens or biometrics.
“By expanding its tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra’s methodology shows the multidimensionality of cyber attacks in the modern threat landscape,” Zimmermann concluded. “Using cloud environments to collect large amounts of information and extract it quickly poses new challenges for defenders.”