Wednesday, December 11, 2024
HomeCyber AttackMuddled Libra Hackers Using Pentesting Tools To Gain Admin Access

Muddled Libra Hackers Using Pentesting Tools To Gain Admin Access

Published on

SIEM as a Service

Threat actors use pentesting tools to identify vulnerabilities and weaknesses in target systems or networks.

These tools provide a simulated environment for testing potential attack vectors that allow threat actors to exploit security gaps and gain unauthorized access. 

By using pentesting tools, threat actors can assess the effectiveness of their methods and refine their strategies to maximize the impact of their attacks.

- Advertisement - SIEM as a Service

Cybersecurity researchers at Unit 42 of Palo Alto Networks discovered that Muddled Libra hackers are actively using the pentesting tools to gain admin access.

Muddled Libra Hackers

The Muddled Libra hacking group emerged in late 2022 with the 0ktapus phishing kit, offering prebuilt hosting, easy C2 connectivity, and bundled attack templates.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox:


This kit enabled low-skilled attackers to emulate mobile authentication pages cheaply, gathering credentials and MFA codes for over 100 organizations. 

While previously documented as 0ktapus, Scattered Spider, and Scatter Swine, Muddled Libra clarified they are a distinct group using a common toolkit, social forum-based collaboration, and Agile-like team structure. 

Unit 42 attributed several complex supply chain attacks targeting cryptocurrency to Muddled Libra, who are adapting tactics and broadening their scope.

Evolved tactics of Muddled Libra (Source – Palo Alto Networks)

Unit 42 links incidents to Muddled Libra due to common tactics.

Muddled Libra shows a deep knowledge of targets, often from prior breaches and data brokers like Genesis and Russian Markets. 

Malware like Raccoon Stealer and RedLine Stealer harvests info from personal devices by exploiting BYOD policies and hybrid work setups, creating a prime target for data theft.

Muddled Libra attack chain (Source – Palo Alto Networks)

Muddled Libra uses lookalike domains in smishing attacks by exploiting the SMS link truncation.

They favor short-lived domains via Porkbun and Namecheap, and they are now adding Metaregistrar. 

The 0ktapus kit, which was adopted widely, requires little skill, targeting via smishing or direct social engineering. Helpdesk agents are key targets for password and MFA resets. 

Focus on maintaining access involves abusing RMM tools like Zoho Assist, AnyDesk, and TeamViewer.

Cloud platforms aid in establishing a foothold, but recent shifts indicate a move to an ‘encrypt and extort’ model, targeting larger organizations in the same industry.

Muddled Libra sticks to consistent discovery methods, using legit tools like SharpHound, ADRecon, and Angry IP Scanner. 

They aim for data and credential theft, sometimes adding BlackCat ransomware. They execute with PsExec or Impacket, leveraging the victim’s tools and RDP connections for stealth.

Defense Evasion Tactics

Here below, we have mentioned all the defense evasion tactics:-

  • Disabling antivirus and host-based firewalls
  • Attempting to delete firewall profiles
  • Creating defender exclusions
  • Deactivating or uninstalling EDR and other monitoring products
  • Standing up unmanaged cloud virtual machines
  • Elevating access in virtual desktop environments

Mitigations

Here below, we have mentioned all the mitigations:-

  • Implement MFA and SSO.
  • Enable security alerting and account lockout for repeated MFA failures.
  • Conduct user awareness training.
  • Maintain updated credential hygiene.
  • Monitor and restrict access to critical defenses using ITDR tools.
  • Restrict anonymization services at the firewall.
  • Utilize Next-Generation Firewall.
  • Implement XDR solutions.
  • Employ XSOAR or XSIAM for security automation.

IoCs

  • 104.247.82[.]11
  • 105.101.56[.]49
  • 105.158.12[.]236
  • 134.209.48[.]68
  • 137.220.61[.]53
  • 138.68.27[.]0
  • 146.190.44[.]66
  • 149.28.125[.]96
  • 157.245.4[.]113
  • 159.223.208[.]47
  • 159.223.238[.]0
  • 162.19.135[.]215
  • 164.92.234[.]104
  • 165.22.201[.]77
  • 167.99.221[.]10
  • 172.96.11[.]245
  • 185.56.80[.]28
  • 188.166.92[.]55
  • 193.149.129[.]177
  • 207.148.0[.]54
  • 213.226.123[.]104
  • 35.175.153[.]217
  • 45.156.85[.]140
  • 45.32.221[.]250
  • 64.227.30[.]114
  • 79.137.196[.]160
  • 92.99.114[.]231

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

Microsoft Patch Tuesday December 2024, 71 Vulnerabilities Fixed Including 1 Zero-day

In its final Patch Tuesday of 2024, Microsoft has released a significant security update...

Hackers Target Android Users via WhatsApp to Steal Sensitive Data

Researchers analyzed a malicious Android sample created using Spynote RAT, targeting high-value assets in...