The Rise of ‘Muddled Libra’: How Outsourcing Firms are Being Targeted by Oktapus-Related Smishing

A Targeted & Tenacious Cyberthreat: Muddled Libra

A new threat group known as “Muddled Libra” has emerged, targeting large outsourcing firms through persistent and multi-layered attacks. The group, which has been active since mid-2022, demonstrates an expert understanding of enterprise information technology and employs non-destructive persistence on targeted organizations’ systems until it achieves its goals of data exfiltration and conducting further attacks. One of the distinguishing characteristics of Muddled Libra is its tendency to target downstream customers using stolen data, allowing them to repeatedly access prior victims even after initial incident response.

A Threat to Multiple Industries

Muddled Libra primarily targets large outsourcing firms serving high-value cryptocurrency institutions and individuals. However, it also poses a substantial threat to organizations in the software automation, business process outsourcing, telecommunications, and technology industries. While the group does not bring anything new in terms of malware or tactics, its methodical and flexible attack techniques, proficiency in a range of security disciplines, and tenacious nature make it particularly dangerous.

The Modus Operandi of Muddled Libra

Muddled Libra’s attacks begin with reconnaissance to create target profiles, followed by the deployment of lookalike phishing domains and the use of the Oktapus phishing kit. This leads to smishing attacks, where lure messages are sent to targeted employees’ mobile phones, prompting them to update account information or re-authenticate to a corporate application. In this process, Muddled Libra gains access to the network by capturing credentials and bypassing multi-factor authentication through various social engineering techniques, including MFA bombing.

Once inside the network, Muddled Libra elevates its access using credential-stealing tools and deploys remote monitoring and management (RMM) tools to establish a backdoor for maintaining persistence. The group also employs evasive maneuvers, such as disabling antivirus and firewalls and uninstalling monitoring products. Muddled Libra’s primary goal is to access and exfiltrate data, often using reverse proxy shells, secure shell (SSH) tunnels, or commonly used file-transfer sites. In some cases, the group even targets downstream customers through compromised infrastructure.

Defending Against Muddled Libra

To defend against such a sophisticated threat actor, organizations must take a comprehensive approach that combines cutting-edge technology, robust security hygiene, and constant monitoring of external threats and internal events.

Unit 42 researchers provide several recommendations to mitigate the risks posed by Muddled Libra:

• Implement multi-factor authentication (MFA) and single sign-on (SSO) wherever possible to minimize the risk of bypassing MFA.
• Conduct comprehensive user-awareness training to help employees identify suspicious non-email-based outreach and mitigate social engineering attacks.
• Maintain credential hygiene and grant access to employees only when and for as long as necessary.
• Limit the connection of anonymization services to the network, ideally allowing them only at the firewall level by App-ID.
• Employ robust network security and endpoint security, including an extended detection and response (XDR) solution that can identify malicious code through advanced machine learning and behavioral analytics.
• Prepare for potential breaches by assuming that the attacker is well-versed in modern incident response (IR) tactics and establishing out-of-band response mechanisms.

Editorial: The Ongoing Battle Against Cyber Threats

Muddled Libra represents yet another example of the ever-evolving and persistent cyber threats organizations face in today’s digital landscape. The group’s ability to stay undetected, efficiently navigate security measures, and capitalize on stolen data for further attacks highlights the need for continuous vigilance and proactive security strategies.

Organizations must understand that defending against sophisticated threat actors requires a multi-faceted approach that addresses both technical vulnerabilities and human factors. While implementing cutting-edge technology is crucial, employee awareness and training play an equally important role in mitigating the risks of social engineering and phishing attacks.

Furthermore, as Muddled Libra demonstrates, incident response plans must be up-to-date and adaptable, accounting for the possibility that threat actors are well-versed in modern IR tactics. Organizations should also consider the implementation of out-of-band response mechanisms to enhance their ability to contain and mitigate breaches.

In this ongoing battle against cyber threats, organizations must prioritize cybersecurity measures and invest in the necessary resources to protect their networks, data, and customers. Only through a comprehensive and proactive approach can they stay one step ahead of adversaries like Muddled Libra.