Apr 15, 2024NewsroomCloud Security /SaaS Security

The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.

“Organizations often store a variety of data in SaaS applications and use services from CSPs,” Palo Alto Networks Unit 42 said in a report published last week.

“The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work.”

Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered Spider, is a notorious cybercriminal group that has leveraged sophisticated social engineering techniques to gain initial access to target networks.

“Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs,” the U.S. government said in an advisory late last year.

The attackers also have a history of monetizing access to victim networks in numerous ways, including extortion enabled by ransomware and data theft.

Unit 42 previously told The Hacker News that the moniker “Muddled Libra” comes from the “confusing muddled landscape” associated with the 0ktapus phishing kit, which has been put to use by other threat actors to stage credential harvesting attacks.

A key aspect of the threat actor’s tactical evolution is the use of reconnaissance techniques to identify administrative users to target when posing as helpdesk staff using phone calls to obtain their passwords.

The recon phase also extends to Muddled Libra, which performs extensive research to find information about the applications and the cloud service providers used by the target organizations.

“The Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled Libra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an organization’s various CSP environments,” security researcher Margaret Zimmermann explained.

The information obtained at this stage serves as a stepping stone for conducting lateral movement, abusing the admin credentials to access single sign-on (SSO) portals to gain quick access to SaaS applications and cloud infrastructure.

In the event SSO is not integrated into a target’s CSP, Muddled Libra undertakes broad discovery activities to uncover the CSP credentials, likely stored in unsecured locations, to meet their objectives.

The data stored with SaaS applications are also used to glean specifics about the infected environment, capturing as many credentials as possible to widen the scope of the breach via privilege escalation and lateral movement.

“A large portion of Muddled Libra’s campaigns involve gathering intelligence and data,” Zimmermann said.

“Attackers then use this to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra.”

These actions specifically single out Amazon Web Services (AWS) and Microsoft Azure, targeting services like AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob Storage, and Azure Files to extract relevant data.

Data exfiltration to an external entity is achieved by abusing legitimate CSP services and features. This encompasses tools like AWS DataSync, AWS Transfer, and a technique called snapshot, the latter of which makes it possible to move data out of an Azure environment by staging the stolen data in a virtual machine.

Muddled Libra’s tactical shift requires organizations to secure their identity portals with robust secondary authentication protections like hardware tokens or biometrics.

“By expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra’s methodology shows the multidimensionality of cyberattacks in the modern threat landscape,” Zimmermann concluded. “The use of cloud environments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders.”

Mar 24, 2024NewsroomArtificial Intelligence / Cyber Espionage

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data.

Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe.

According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to deploy malware on compromised hosts.

The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past.

“While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened,” the company said.

The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which executes a Visual Basic Script (VBScript) to set up persistence and reach out to a remote server to fetch a next-stage payload responsible for gathering and exfiltrating sensitive data.

Rapid7 described the attacks as ongoing and evolving, targeting organizations based in South Korea. It also identified an alternate infection sequence that employs a CHM file as a starting point to drop batch files tasked with harvesting the information and a PowerShell script to connect to the C2 server and transfer the data.

“The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims,” it said.

The development comes as Broadcom-owned Symantec revealed that the Kimsuky actors are distributing malware impersonating an application from a legitimate Korean public entity.

“Once compromised, the dropper installs an Endoor backdoor malware,” Symantec said. “This threat enables attackers to collect sensitive information from the victim or install additional malware.”

It’s worth noting that the Golang-based Endoor, alongside Troll Stealer (aka TrollAgent), has been recently deployed in connection with cyber attacks that target users downloading security programs from a Korean construction-related association’s website.

The findings also arrive amid a probe initiated by the United Nations into 58 suspected cyber attacks carried out by North Korean nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it further develop its nuclear weapons program.

“The high volume of cyber attacks by hacking groups subordinate to the Reconnaissance General Bureau reportedly continued,” the report said. “Trends include targeting defense companies and supply chains and, increasingly, sharing infrastructure and tools.”

The Reconnaissance General Bureau (RGB) is North Korea’s primary foreign intelligence service, comprising the threat clusters widely tracked as the Lazarus Group – and its subordinate elements, Andariel and BlueNoroff – and Kimsuky.

“Kimsuky has shown interest in using generative artificial intelligence, including large language models, potentially for coding or writing phishing emails,” the report further added. “Kimsuky has been observed using ChatGPT.”