threat actor known as Confused Libra is a relentless attack that leverages sophisticated social engineering tactics to gain initial access, targeting the business process outsourcing (BPO) industry.
In a technical report, Palo Alto Networks’ Unit 42 stated, “The attack style that defines Muddled Libra will be announced in late 2022 with the release of the 0ktapus phishing kit, which offers pre-built hosting frameworks and bundled templates. It has appeared on the cybersecurity radar.”
Libra is the name given to a cybercriminal group by a cybersecurity firm. The “confused” moniker for this threat actor stems from the commonly widespread ambiguity regarding its use of the 0ktapus framework.
0ktapus, also known as Scatter Swine, refers to an intrusion set first revealed in August 2022 in connection with smishing attacks against over 100 organizations, including Twilio and Cloudflare.
And in late 2022, CrowdStrike detailed a series of cyberattacks targeting telcos and BPO companies that combined credential phishing and SIM swapping attacks since at least June 2022. This cluster is tracked under the names Roasted 0ktapus, Scattered Spider, and UNC3944.
“Unit 42 has decided to name it Muddled Libra in order to confuse the chaos associated with the 0ktapus phishing kit,” senior threat researcher Kristopher Russo told The Hacker News.
“Since this kit is now widely available, many other attackers have added it to their arsenal. It is not classified as Libra.”
Attacks by electronic crime groups begin with the use of smishing and 0ktapus phishing kits to establish initial access, and usually end with data theft and long-term persistence.
Another unique feature is that compromised infrastructure and stolen data are used in downstream attacks against the victim’s customers, sometimes targeting the same victim multiple times to replenish the dataset. sometimes even
Unit 42, which investigated more than six Muddled Libra incidents between June 2022 and early 2023, said the group was tenacious, “methodical in its pursuit of objectives and very flexible in its attack strategy” and encountered obstacles. It had the characteristic of changing tactics immediately.
In addition to favoring a variety of legitimate remote administration tools to maintain persistent access, Muddled Libra has been known to tamper with endpoint security solutions to evade defenses and implement multi-factor authentication (MFA) notification fatigue strategies. is known to be used to steal credentials.
Threat actors have also been observed collecting employee lists, job titles, and mobile phone numbers in order to carry out smishing and rapid-fire bombing attacks. If this approach fails, the Muddled Libra attacker impersonates the victim and contacts the organization’s helpdesk to enroll her new MFA device under management.
“The success of Muddled Libra’s social engineering is remarkable,” the researchers said. “In many of our cases, this group has given both the helpdesk and other employees an unusually high degree of reassurance over the phone and persuaded them to engage in risky activities.”
This attack includes credential stealing tools such as Mimikatz and Raccoon Stealer to elevate access, as well as facilitating network discovery and ultimately exfiltrating data from Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms. Other scanners to extract are also used.
Unit 42 theorizes that the authors of the 0ktapus phishing kit lacked the advanced capabilities of Muddled Libra, and despite the overlap in trade craft, there is no clear connection between this actor and UNC3944. added.
“Muddled Libra stands at the intersection of nefarious social engineering and agile technology adaptation,” the researchers said. “They are experts in various security disciplines, thrive in relatively secure environments, and can execute quickly to complete devastating attack chains.”
“This enterprise information technology-savvy threat group poses significant risks even to organizations with well-developed, traditional cyber defenses.”
