Muddled Libra Grouping Targets the Business Process Outsourcing (BPO) Industry for Initial Social Engineering Access

The Muddled Libra attacks were first discovered in late 2022 with the release of the 0ktapus phishing kit, which offered a pre-built hosting structure and templates for phishing.

Muddled Libra group attacks start by using phishing kit 0ktapus to establish initial access and usually end in data theft and long-term storage in the victim’s system. 0ktapus (Scatter Swine) refers to a phishing kit that was first discovered in August 2022 in connection with attacks on more than 130 organizations including Twilio And cloudflare .

Another unique feature is the use of compromised infrastructure and stolen data in subsequent attacks on the victim’s clients, and in some cases even re-targeting the same victims to supplement their data set.

Specialists Unit 42 investigated 6 Muddled Libra incidents between June 2022 and early 2023 and found that in addition to using legitimate remote management tools to maintain continuous access, Muddled Libra manipulated endpoint security solutions to evade security and also abused tactics M.F.A. Fatigue to steal credentials.

It has also been observed that the attacker collects lists of employees, job descriptions and mobile phone numbers in order to carry out the attack. If this approach fails, Muddled Libra members contact the organization’s help desk, posing as a victim, to register a new MFA device under their control.

The attacks also use tools to steal credentials, such as Mimikatz and Raccoon Stealer, to increase access, as well as other scanners to facilitate network discovery and ultimately extract data from Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms.

With a deep knowledge of corporate information technology, this group of threats poses a significant risk even for organizations with well-developed but outdated cyber defenses.