Threat actors, particularly the Muddled Libra hacking group, leverage pentesting tools to identify and exploit vulnerabilities within target systems or networks. These tools offer a simulated environment for testing potential attack vectors, allowing attackers to refine their strategies and maximize the impact of their intrusions. Cybersecurity researchers from Unit 42 at Palo Alto Networks have uncovered that Muddled Libra hackers actively employ pentesting tools to gain administrative access, facilitating their malicious activities.
Emerging in late 2022, the Muddled Libra group introduced the 0ktapus phishing kit, which provided attackers with prebuilt hosting, simplified command-and-control connectivity, and bundled attack templates. This kit enabled even low-skilled attackers to emulate mobile authentication pages affordably, resulting in the theft of credentials and multi-factor authentication codes from over 100 organizations. Despite being previously identified under different names like 0ktapus, Scattered Spider, and Scatter Swine, Muddled Libra clarified their distinct identity, employing common toolkits and collaborative social forums to coordinate their operations with an Agile-like team structure.
Unit 42’s analysis links several sophisticated supply chain attacks targeting cryptocurrency networks to the Muddled Libra group, indicating their adaptability and expanding scope of operations. Employing tactics rooted in deep reconnaissance, Muddled Libra demonstrates a comprehensive understanding of their targets, often obtained from prior data breaches and information brokers. The group utilizes malware such as Raccoon Stealer and RedLine Stealer to harvest sensitive data from personal devices, leveraging vulnerabilities in bring-your-own-device (BYOD) policies and hybrid work setups to perpetrate data theft.
Muddled Libra’s operational methodology revolves around the rapid establishment of access through short-lived domains and the exploitation of remote monitoring and management (RMM) tools. While their initial focus lies in data and credential theft, recent trends suggest a shift towards an ‘encrypt and extort’ model, particularly targeting larger organizations within the same industry. Consistently employing legitimate tools like SharpHound and ADRecon, coupled with the utilization of PsExec and Impacket for execution, Muddled Libra displays a sophisticated understanding of attack vectors, emphasizing the importance of robust cybersecurity measures in mitigating such threats.
