Muddled Libra is a high-risk threat group targeting BPO: Palo Alto Networks

Muddled Libra is a high-risk threat group targeting BPO, software automation, and telecom companies, according to a blog from Unit 42, the threat intelligence and incident response team of cybersecurity firm Palo Alto Networks.
BPO and call centerMuddled Libra sought and stole information on downstream client environments and used the same to pivot into those environments, according to incidents investigated from mid-2022 to early-2023. It demonstrated a strong understanding of its victims’ high-value clients and information most useful for follow-on attacks.

The attack style defining Muddled Libra was spotted in late-2022 with the release of the 0ktapus phishing kit. Through realistic fake authentication portals and targeted smishing, attackers quickly gathered credentials and multi-factor authentication (MFA) codes.

All threat actors that use 0ktapus are not Muddled Libra. Unit 42 has classified Muddled Libra with the following characteristics:

Using the 0ktapus phishing kit

Persistent targeting of the BPO industry

Long-term persistence

Nondestructive presence

Data theft

Use of compromised infrastructure in downstream attacks

Muddled Libra demonstrates an unusually high degree of comfort engaging both the help desk and other employees by sending lure messages directly to their cellphones. These messages ask employees to update account information or re-authenticate a corporate application. Given the reliance on social engineering via phone and SMS, it is imperative to train employees to identify and flag such suspicious activities.

Muddled Libra uses evasion tactics like disabling antivirus and host-based firewalls, deleting firewall profiles, creating defender exclusions, and deactivating or uninstalling EDR and other monitoring products. When unable to easily bypass robust multi factor authentication (MFA), Muddled Libra swiftly moved to other targets. Cybersecurity practitioners must consider how best to implement security alerting and account lockout on repeated MFA failures.