The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.
"Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week.
"The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work."
Muddled Libra, which shares overlaps with clusters tracked as Scatter Swine, Scattered Spider, Starfraud, and UNC3944, is a notorious cybercriminal group that has leveraged sophisticated social engineering techniques to gain initial access to target networks.
"Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs," the U.S. government said in an advisory late last year.
The attackers also have a history of monetizing access to victim networks in numerous ways, including extortion enabled by ransomware and data theft.
The intrusion cluster also shares overlap with a broader cyber criminal gang called The Com that engages in subscriber identity module (SIM) swapping, cryptocurrency theft, real-life violence, and swatting attacks.
Unit 42 previously told The Hacker News that the moniker "Muddled Libra" comes from the "confusing muddled landscape" associated with the 0ktapus phishing kit, which has been put to use by other threat actors to stage credential harvesting attacks.
A key aspect of the threat actor's tactical evolution is the use of reconnaissance techniques to identify administrative users to target when posing as helpdesk staff using phone calls to obtain their passwords.
The recon phase also extends to Muddled Libra carrying out extensive research to find information about the applications and the cloud service providers used by the target organizations.
"The Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled Libra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an organization's various CSP environments," security researcher Margaret Zimmermann explained.
The information obtained at this stage serves as a stepping stone for conducting lateral movement, abusing the admin credentials to access single sign-on (SSO) portals to gain quick access to SaaS applications and cloud infrastructure.
In the event SSO is not integrated into a target's CSP, Muddled Libra undertakes broad discovery activities to uncover the CSP credentials, likely stored in unsecured locations, to meet their objectives.
The data stored with SaaS applications are also used to glean specifics about the infected environment, capturing as many credentials as possible to widen the scope of the breach via privilege escalation and lateral movement.
"A large portion of Muddled Libra's campaigns involve gathering intelligence and data," Zimmermann said.
"Attackers then use this to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra."
The discovery actions specifically single out Amazon Web Services (AWS) and Microsoft Azure, targeting services like AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob Storage, and Azure Files to extract relevant data.
Data exfiltration is achieved by abusing legitimate CSP services and features. This encompasses tools like AWS DataSync, AWS Transfer, and a technique called snapshot, the latter of which makes it possible to move data out of an Azure environment by staging the stolen data in a virtual machine.
Muddled Libra's tactical shift requires organizations to secure their identity portals with robust secondary authentication protections like hardware tokens or biometrics.
"By expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra's methodology shows the multidimensionality of cyberattacks in the modern threat landscape," Zimmermann concluded. "The use of cloud environments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders."
The disclosure arrives weeks after Intel 471 said it detected a surge in phishing attacks conducted by the threat actor that are designed to impersonate the Okta login pages of the targeted companies with an aim to gain access to cloud resources or SSO-enabled systems.
(The story was updated after publication in June 2024 to clarify the connections between Muddled Libra and Scattered Spider.)