Muddled Libra

Threat Actor updated 2 months ago (2024-11-29T13:43:11.484Z)

Download STIX

Preview STIX

Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align closely with those used by the cybercrime group codenamed Scattered Spider, also known as UNC3944, 0ktapus, Octo Tempest, Scatter Swine, and Muddled Libra. This implies that they may have been involved in recent high-profile cyber-attacks such as the MoneyGram attack. Their constantly evolving attack strategies make them a significant threat to cybersecurity, yet understanding their end goals can help defenders build better protections. In terms of specific techniques, Muddled Libra exploits legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS environments, they target two legitimate services, AWS DataSync and AWS Transfer, to move data from an on-premises environment to the cloud and then to an external entity. For Azure environments, Muddled Libra uses traditional VM functionality known as snapshots to take images of hosts containing sensitive information. They then create new VMs within the compromised environment, save operational data from the snapshots to these new hosts for staging, and subsequently exfiltrate the data. The Muddled Libra threat actor group is known for its complex attack chain, particularly in the cloud. By leveraging legitimate CSP services and creating new VMs within compromised environments, they can efficiently stage and exfiltrate data. Despite their ever-changing tactics, understanding their ultimate objectives can guide the implementation and improvement of technology protections to safeguard environments against such threats. However, their alignment with the tactics of other known cybercrime groups suggests that they are part of a larger network of malicious actors, making them a persistent and significant threat to cybersecurity.

Description last updated: 2024-10-08T18:16:34.988Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Scattered Spider is a possible alias for Muddled Libra. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	4
UNC3944 is a possible alias for Muddled Libra. UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus oper	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Rmm

Cybercrime

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Muddled Libra. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	2

Source Document References

Information about the Muddled Libra Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	3 months ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
Unit42	9 months ago	Muddled Libra’s Evolution to the Cloud
CERT-EU	a year ago	The biggest cybersecurity and cyberattack stories of 2023
BankInfoSecurity	a year ago	Caesars Entertainment Reportedly Pays Ransom to Attackers
CERT-EU	a year ago	FBI Warns: Scattered Spider Forms Alliance with Black Cat Ransomware
CERT-EU	a year ago	FBI shares tactics of notorious Scattered Spider hacker collective
CERT-EU	a year ago	U.S. officials urge more information sharing on prolific cybercrime group
CISA	a year ago	Scattered Spider \| CISA
CERT-EU	a year ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
BankInfoSecurity	a year ago	MGM Resorts Says Hotels 'Operating Normally' After Attack
CERT-EU	a year ago	Tactics of MGM-Caesars attackers were known for several months
CERT-EU	2 years ago	Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering
CERT-EU	a year ago	BlackCat/ALPHV reportedly encrypted more than 100 MGM ESXi hypervisors
CERT-EU	2 years ago	Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering – GIXtools
CERT-EU	2 years ago	Iran subjected to hack-and-leak operations
CERT-EU	a year ago	Cyber Security Week in Review: September 8, 2023
CERT-EU	a year ago	Multiple Okta customers compromised in a phishing campaign
Unit42	2 years ago	Threat Group Assessment: Muddled Libra
CERT-EU	2 years ago	New macOS backdoor JokerSpy impacts Japanese crypto exchange
CERT-EU	a year ago	More Okta customers trapped in Scattered Spider's web