Cybercrime Group Uses Advanced Social Engineering to Target BPO Sector
A threat actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access. Palo Alto Networks released a statement on this as follows,
The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates.
A group of cybercriminals were given the name “Libra” by the cybersecurity firm, Palo Alto. This threat actor was given the moniker “Muddled” due to the ambiguity around their use of the “0ktapus” architecture.
An intrusion set called “0ktapus,” sometimes known as “Scatter Swine,” was originally identified in August 2022 in connection with smishing attacks against more than 100 companies, including Twilio and Cloudflare.
CrowdStrike disclosed a campaign of cyberattacks on telecom and BPO companies in late 2022 that had been ongoing since at least June 2022. These attacks combine SIM-swapping assaults with credential phishing. Tracking names for this cluster include “Roasted 0ktapus,” “Scattered Spider,” and “UNC3944.”
Senior Threat Researcher, Kristopher Russo said as follows,
Unit 42 decided to name Muddled Libra because of the confusing muddled landscape associated with the 0ktapus phishing kit. Since the kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone doesn’t necessarily classify a threat actor as what Unit 42 calls Muddled Libra.
The cybercrime group Muddled Libra uses a variety of methods to attack its victims, including smishing, phishing, and SIM swapping. They then use this access to steal data and maintain long-term persistence on the victim’s network.
Our readers ALSO READ
The Stealth Soldier: A Custom Backdoor Targeting North Africa
Muddled Libra is known for being persistent and adaptable. They will often target the same victims multiple times, and they are quick to change their tactics if they encounter roadblocks. They also use a variety of legitimate remote management tools to maintain their access, and they are known to tamper with endpoint security solutions to evade detection.
The exploitation of hacked infrastructure and stolen data in subsequent attacks on the victims’ customers is one of Muddled Libra’s attacks’ most distinctive features. They can thus reach a larger audience and take advantage of their victims even more.
A cybersecurity research unit called Unit 42 has looked into more than six Muddled Libra incidents. The gang has been described as being “methodical in pursuing their goals and highly flexible with their attack strategies.”
Muddled Libra targets organizations, thus those organizations should be informed of the group’s strategies and be ready to protect themselves. To safeguard their data, they should also have strong security measures in place, like multi-factor authentication.
In addition to smishing and prompt bombing attacks, the threat actor has also been observed collecting employee lists, job roles, and cellular phone numbers. This information is used to create more targeted and convincing attacks. If these methods fail, the threat actor may contact the organization’s help desk posing as the victim to enroll a new MFA device under their control.
The researchers clarified this as follows,
Muddled Libra’s social engineering success is notable. Across many of our cases, the group demonstrated an unusually high degree of comfort engaging both the help desk and other employees over the phone, convincing them to engage in unsafe actions.
Other tools used in the assaults include scanners to help with network discovery and ultimately exfiltrate data from Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms, as well as credential-stealing programs like Mimikatz and Raccoon Stealer to elevate access.
While there are tradecraft similarities between the actor and UNC3944, Unit 42 theorized that the creators of the 0ktapus phishing kit don’t have the same sophisticated capabilities as Muddled Libra. Unit 42 researcher’s team said,
At the intersection of devious social engineering and nimble technology adaptation stands Muddled Libra. They are proficient in a range of security disciplines, able to thrive in relatively secure environments and execute rapidly to complete devastating attack chains. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.
Like this article? Follow our LinkedIn, and Facebook handles for more exclusive content we post daily.
