Threat Research

Muddled Libra’s Evolution to the Cloud

Unit42

Muddled Libra has expanded from targeting SaaS apps to actively intruding CSP environments, using data from these platforms for extortion and to accelerate attack progression. The group leverages CSP services’ legitimate capabilities to create resources for data exfiltration, while many CSP terms of service explicitly prohibit these activities. #MuddledLibra #OktaCrossTenantImpersonation

Keypoints

  • Muddled Libra now targets SaaS applications and CSP environments to facilitate data exfiltration and potential extortion.
  • The group uses CSP-native capabilities to create new resources that aid data exfiltration, leveraging legitimate cloud features against defenders.
  • Initial access often begins with social engineering the help desk to identify administrative users and target IAM-enabled environments.
  • Privilege escalation is accomplished by bypassing IAM restrictions and modifying permission sets for compromised users, expanding their access scope.
  • SaaS discovery involves locating data, credentials, and configuring SaaS apps (e.g., SharePoint) to further the campaign.
  • Cloud reconnaissance gathers AWS and Azure data (IAM, S3, Secrets Manager; storage keys; resource groups) to plan movement and exfiltration.

MITRE Techniques

  • [T1033] Account Discovery – Reconnaissance to identify administrative users to target for their initial access. Quote: (‘start by performing reconnaissance to identify administrative users to target for their initial access when social engineering the help desk.’)
  • [T1078] Valid Accounts – Bypassing IAM restrictions and modifying permission sets after compromising administrator accounts to increase access scope. Quote: (‘technology administrator accounts that the group compromised as part of their new tactic of help desk social engineering. Then they modified permissions to increase their scope of access.’)
  • [T1199] Trusted Relationship – Exploitation of trusted relationships via Okta cross-tenant impersonation to access SaaS and CSP environments. Quote: (‘Okta cross-tenant impersonation attacks … bypassed IAM restrictions.’)
  • [T1021] Remote Services – Lateral movement to access SaaS applications and CSP environments via SSO and related portals. Quote: (‘Figure 2 maps the lateral movement techniques used by Muddled Libra.’)
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltration using AWS DataSync and AWS Transfer to move data from on-premises to the cloud and then out of the environment. Quote: (‘AWS DataSync enables the transfer of data from on-premises to various AWS storage services. The AWS Transfer service enables data transfer to and from various AWS storage services.’)

Indicators of Compromise

  • [AWS API Events] – CreateUser (transfer.amazonaws.com), ListBuckets, and GetSecretValue (Secrets Manager) events observed in CloudTrail during activity phases – example: CreateUser event associated with transfer.amazonaws.com as the event source.
  • [AWS Service Endpoints] – transfer.amazonaws.com – used as the event source for AWS Transfer server creation and related activity.
  • [AWS Secrets Manager] – GetSecretValue – API call used to retrieve stored secrets and credentials.
  • [AWS S3] – ListBuckets and GetBucket* operations – enumeration of buckets and bucket contents to locate sensitive data.
  • [Azure] – storage account access keys and resource groups – keys enabling access to Azure storage and grouping of resources for targeting.
  • [SaaS Platform] – Microsoft SharePoint – targeted data stores and metadata within SharePoint to understand network configuration and tools in use.

Read more: https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/