“Muddled Libra” Hackers Shift Focus to Cloud and SaaS Attacks

Muddled Libra
Resource group with various attacker targets

In a chilling development that highlights the ever-evolving nature of cyber threats, the infamous “Muddled Libra” hacking group is setting its sights on a new frontier: the cloud and Software-as-a-Service (SaaS). A comprehensive report from Unit 42 reveals the group’s alarming shift in tactics, detailing how they’re infiltrating cloud environments and compromising widely-used SaaS applications to steal data and potentially even launch attacks against downstream targets.

Resource group with various attacker targets | Image: Unit 42

Why the Cloud is So Appealing

For hackers like Muddled Libra, cloud service providers (CSPs) – think Amazon Web Services, Microsoft Azure, and others – represent an irresistible target. These platforms have become the backbone of countless businesses, storing troves of sensitive information and powering mission-critical applications. By breaching these environments, attackers gain access to a treasure trove of valuable data.

Muddled Libra’s cloud attack methodology is both meticulous and brazen:

  • Weaponizing Social Engineering: The group cleverly impersonates legitimate users or uses other tricks to manipulate help desk personnel into revealing access credentials.
  • Abusing Trust: Using compromised credentials, they target Single Sign-On (SSO) portals, which function as gateways to multiple cloud resources and connected applications
  • Exploiting Weak Links: They relentlessly scan for poorly secured cloud accounts or carelessly exposed credentials, relying on organizations’ inadequate security practices.

SaaS: The Keys to the Kingdom

Alongside their cloud attacks, Muddled Libra has developed a keen interest in SaaS platforms like Microsoft 365, Salesforce, and others. These services offer email, productivity tools, file storage, and more, making them a rich source of information and a potential springboard for further attacks.

Their SaaS tactics are particularly insidious:

  • Targeting Collaboration: They exploit platforms like SharePoint to uncover network diagrams, internal tools, or even passwords inadvertently stored within files.
  • Raiding Email Inboxes: Sensitive communications and other valuable data are siphoned directly from users’ email accounts.
  • Manipulating for Advantage: Hackers reconfigure SaaS settings to grant themselves wider access and reduce barriers to their operations.

Exfiltration with a Twist

Muddled Libra’s goal isn’t merely data theft; it’s about extortion and potential disruption. They’ve become adept at using the cloud’s own features against their victims. Services like AWS DataSync and Azure snapshots, designed for legitimate purposes, become tools for rapidly exfiltrating massive amounts of data before anyone realizes what’s happening.

The Stakes Are Higher Than Ever

The report by Unit 42 underscores the escalating risks organizations face as they migrate to cloud and SaaS platforms. Muddled Libra’s ability to blend traditional hacking techniques with an understanding of cloud infrastructure makes them especially dangerous. The potential consequences range from devastating data breaches to extortion attempts and even attacks launched against a victim’s clients using their own compromised resources.

What Businesses Must Do

  • Prioritize User Awareness: Employees are the first line of defense. Train them to recognize social engineering attempts, especially those aimed at help desks and IT personnel.
  • Robust Identity Management: Enforce strong multi-factor authentication (MFA) on all critical accounts and SSO portals. Regularly review and limit user permissions.
  • Enforce Security Hygiene: Establish and enforce strict password policies across all cloud services. Disable or restrict the use of high-risk cloud features when not essential.
  • Continuous Monitoring: Actively monitor cloud environments and SaaS applications for anomalies, unusual resource usage, and suspicious account activity.

Get the full “Muddled Libra’s Evolution to the Cloud” report from Unit 42 for in-depth analysis and further mitigation recommendations.