Muddled Libra

Threat Actor updated 9 months ago (2024-11-29T13:43:11.484Z)

Download STIX

Preview STIX

Muddled Libra, a threat actor subgroup known for its sophisticated cyber-attack techniques, has recently been noted for its advanced exfiltration and discovery methods using AWS and Azure cloud services. The group has not claimed responsibility for any specific attacks, but their tactics align closely with those used by the cybercrime group codenamed Scattered Spider, also known as UNC3944, 0ktapus, Octo Tempest, Scatter Swine, and Muddled Libra. This implies that they may have been involved in recent high-profile cyber-attacks such as the MoneyGram attack. Their constantly evolving attack strategies make them a significant threat to cybersecurity, yet understanding their end goals can help defenders build better protections. In terms of specific techniques, Muddled Libra exploits legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS environments, they target two legitimate services, AWS DataSync and AWS Transfer, to move data from an on-premises environment to the cloud and then to an external entity. For Azure environments, Muddled Libra uses traditional VM functionality known as snapshots to take images of hosts containing sensitive information. They then create new VMs within the compromised environment, save operational data from the snapshots to these new hosts for staging, and subsequently exfiltrate the data. The Muddled Libra threat actor group is known for its complex attack chain, particularly in the cloud. By leveraging legitimate CSP services and creating new VMs within compromised environments, they can efficiently stage and exfiltrate data. Despite their ever-changing tactics, understanding their ultimate objectives can guide the implementation and improvement of technology protections to safeguard environments against such threats. However, their alignment with the tactics of other known cybercrime groups suggests that they are part of a larger network of malicious actors, making them a persistent and significant threat to cybersecurity.

Description last updated: 2024-10-08T18:16:34.988Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Scattered Spider is a possible alias for Muddled Libra. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	6
UNC3944 is a possible alias for Muddled Libra. UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus oper	3
Octo Tempest is a possible alias for Muddled Libra. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cybercrime

Phishing

Ransomware

Rmm

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Muddled Libra. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	2

Source Document References

Information about the Muddled Libra Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	19 days ago	Muddled Libra’s Strike Teams: Amalgamated Evil
Unit42	25 days ago	Muddled Libra: Why Are We So Obsessed With You?
Unit42	a month ago	2025 Unit 42 Global Incident Response Report: Social Engineering Edition
Securityaffairs	a month ago	Scattered Spider targets VMware ESXi in using social engineering
Securityaffairs	2 months ago	Qantas confirms customer data breach amid Scattered Spider attacks
Securityaffairs	2 months ago	The FBI warns that Scattered Spider is now targeting the airline sector
InfoSecurity-magazine	4 months ago	Harrods Latest UK Retailer to Fall Victim to Cyber-Attack
Unit42	4 months ago	Extortion and Ransomware Trends January-March 2025
BankInfoSecurity	a year ago	MoneyGram Money Transfer Firm Reports Customer Data Breach
Unit42	a year ago	Muddled Libra’s Evolution to the Cloud
CERT-EU	2 years ago	The biggest cybersecurity and cyberattack stories of 2023
BankInfoSecurity	2 years ago	Caesars Entertainment Reportedly Pays Ransom to Attackers
CERT-EU	2 years ago	FBI Warns: Scattered Spider Forms Alliance with Black Cat Ransomware
CERT-EU	2 years ago	FBI shares tactics of notorious Scattered Spider hacker collective
CERT-EU	2 years ago	U.S. officials urge more information sharing on prolific cybercrime group
CISA	2 years ago	Scattered Spider \| CISA
CERT-EU	2 years ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
BankInfoSecurity	2 years ago	MGM Resorts Says Hotels 'Operating Normally' After Attack
CERT-EU	2 years ago	Tactics of MGM-Caesars attackers were known for several months
CERT-EU	2 years ago	Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering