The entity identified as Confused Libra has been actively pursuing software-as-a-service (SaaS) platforms and cloud service provider (CSP) domains with the intent to pilfer sensitive data.
“Organizations often store a myriad of data within SaaS platforms and rely on services provided by CSPs,” Palo Alto Networks Unit 42 detailed in a recent report.
“The perpetrators have now begun utilizing certain data to facilitate their attack progression and for extortion purposes in their efforts to monetize their operations.”
Known also as Starfraud, UNC3944, Scatter Swine, and Scattered Spider, Confused Libra is a notorious cybercrime syndicate employing sophisticated social engineering tactics to infiltrate targeted networks.
“The Scattered Spider operatives have consistently evaded detection within target networks by employing living-off-the-land techniques and leveraging whitelisted applications to traverse victim networks, while also frequently altering their tactics, techniques, and procedures (TTPs),” disclosed the U.S. government in a late-year advisory.
This group also has a track record of monetizing access to compromised networks through various means, including ransomware-enabled extortion and data exfiltration.
Unit 42 previously informed The Hacker News that the moniker “Confused Libra” stems from the perplexing landscape associated with the 0ktapus phishing toolkit, utilized by other threat actors for credential harvesting attacks.
A crucial aspect of the threat actor’s strategic evolution involves reconnaissance methods to identify administrative users for targeting, often masquerading as helpdesk personnel via phone calls to procure their passwords.
The reconnaissance phase extends to Confused Libra conducting thorough research to ascertain information about the applications and cloud service providers utilized by the target entities.
“The incidents of Okta cross-tenant impersonation attacks occurring from late July to early August 2023, where Confused Libra bypassed IAM restrictions, highlight the group’s exploitation of Okta to access SaaS platforms and various CSP environments within organizations,” elucidated security researcher Margaret Zimmermann.
The intelligence gathered at this juncture serves as a foundation for lateral movement, with the group leveraging administrative credentials to access single sign-on (SSO) portals for expedited entry into SaaS platforms and cloud infrastructure.
In cases where SSO is absent from the target’s CSP, Confused Libra engages in extensive reconnaissance to uncover CSP credentials, often stored in insecure locations, to fulfill their objectives.
Data stored within SaaS platforms is also utilized to glean insights about the compromised environment, harvesting as many credentials as possible to broaden the breach through privilege escalation and lateral movement.
“A significant portion of Confused Libra’s operations involve intelligence gathering and data acquisition,” noted Zimmermann.
“The attackers subsequently utilize this information to create new pathways for lateral movement within an environment. Organizations store diverse data within their individual CSP environments, rendering these centralized repositories prime targets for Confused Libra.”
These activities specifically target Amazon Web Services (AWS) and Microsoft Azure, focusing on services such as AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob Storage, and Azure Files to extract pertinent data.
Exfiltration of data to an external entity is accomplished by exploiting legitimate CSP services and functionalities, including tools like AWS DataSync, AWS Transfer, and employing techniques such as snapshots, enabling the transfer of data from an Azure environment by staging stolen data in a virtual machine.
Confused Libra’s strategic pivot necessitates organizations fortify their identity portals with robust secondary authentication measures such as hardware tokens or biometrics.
“With the expansion of their tactics to encompass SaaS platforms and cloud environments, Confused Libra’s evolutionary trajectory underscores the multi-faceted nature of cyber assaults in the contemporary threat landscape,” concluded Zimmermann. “The utilization of cloud environments to amass large volumes of data and swiftly exfiltrate it presents new challenges to defenders.”
