Adrian Johnson
TLDR:
Threat actors known as Muddled Libra hackers are using pentesting tools to gain admin access to target systems. The group, which emerged in 2022, has been linked to supply chain attacks targeting cryptocurrency. They use phishing kits like 0ktapus to gather credentials and MFA codes, targeting helpdesk agents for password resets. Muddled Libra’s tactics include exploitation of BYOD policies, smishing attacks, and abuse of RMM tools like Zoho Assist and TeamViewer. They aim for data and credential theft, sometimes using ransomware. Defense evasion tactics and mitigations are recommended to protect against their attacks.
In a recent report, cybersecurity researchers at Unit 42 of Palo Alto Networks revealed that Muddled Libra hackers have been actively using pentesting tools to identify vulnerabilities and weak points in target systems. This allows them to gain unauthorized access and exploit security gaps effectively. The group initially emerged in late 2022 with the 0ktapus phishing kit, which enabled low-skilled attackers to gather credentials and MFA codes for over 100 organizations. Since then, Muddled Libra has evolved their tactics, targeting larger organizations in the same industry with an ‘encrypt and extort’ model.
The group’s tactics include the use of lookalike domains in smishing attacks, exploitation of BYOD policies, and abuse of RMM tools like Zoho Assist and TeamViewer. They have a deep understanding of their targets, often leveraging data from prior breaches and data brokers. To defend against Muddled Libra’s attacks, implementing multi-factor authentication, security alerting, and account lockout measures are recommended. Monitoring and restricting access to critical defenses, as well as utilizing XDR solutions, can help mitigate the risk posed by this group.
