Muddled Libra

Threat Actor updated 4 months ago (2024-05-04T20:36:29.457Z)

Download STIX

Preview STIX

Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra targets two key services: AWS DataSync and AWS Transfer. These services are used to shift data from an on-premises environment to the cloud, and subsequently to an external entity. This method allows Muddled Libra to quickly move large volumes of data while blending into regular network traffic, making their activities harder to detect. In addition to AWS, Muddled Libra has demonstrated proficiency in exploiting Microsoft Azure's functionalities. One such technique involves the use of traditional Virtual Machine (VM) snapshots to capture images of hosts containing sensitive information relevant to the group’s attack objectives. To avoid detection, Muddled Libra creates new VMs within the compromised environment, saves operational data from the snapshots to these new hosts for staging, and then exfiltrates the data. This approach not only conceals their activities but also provides them with a means to persist within the target environment. Despite Muddled Libra's constantly evolving tactics, understanding their end goals can aid in building more robust defenses. By studying their attack chain, defenders can implement and improve technological protections to safeguard their environments. For instance, monitoring for abnormal use of AWS DataSync, AWS Transfer, and Azure VM snapshot functionalities could help identify potential threats. While Muddled Libra's techniques present significant challenges, through vigilance and continuous adaptation, organizations can mitigate the risks posed by this threat actor.

Description last updated: 2024-04-09T21:15:47.333Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Scattered Spider	4	Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to vic
UNC3944	2	UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor group that has been increasingly active in recent years. The group initially targeted telecommunication firms and tech companies but has now expanded its operations to include the hospitality, retail, media,

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Ransomware

Rmm

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	2	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Source Document References

Information about the Muddled Libra Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	5 months ago	Muddled Libra’s Evolution to the Cloud
CERT-EU	8 months ago	The biggest cybersecurity and cyberattack stories of 2023
BankInfoSecurity	a year ago	Caesars Entertainment Reportedly Pays Ransom to Attackers
CERT-EU	9 months ago	FBI Warns: Scattered Spider Forms Alliance with Black Cat Ransomware
CERT-EU	10 months ago	FBI shares tactics of notorious Scattered Spider hacker collective
CERT-EU	10 months ago	U.S. officials urge more information sharing on prolific cybercrime group
CISA	10 months ago	Scattered Spider \| CISA
CERT-EU	10 months ago	Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
BankInfoSecurity	a year ago	MGM Resorts Says Hotels 'Operating Normally' After Attack
CERT-EU	a year ago	Tactics of MGM-Caesars attackers were known for several months
CERT-EU	a year ago	Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering
CERT-EU	a year ago	BlackCat/ALPHV reportedly encrypted more than 100 MGM ESXi hypervisors
CERT-EU	a year ago	Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering – GIXtools
CERT-EU	a year ago	Iran subjected to hack-and-leak operations
CERT-EU	a year ago	Cyber Security Week in Review: September 8, 2023
CERT-EU	a year ago	Multiple Okta customers compromised in a phishing campaign
Unit42	a year ago	Threat Group Assessment: Muddled Libra
CERT-EU	a year ago	New macOS backdoor JokerSpy impacts Japanese crypto exchange
CERT-EU	a year ago	More Okta customers trapped in Scattered Spider's web
CERT-EU	a year ago	Les dernières cyberattaques détectées \| 27 juin 2023