Muddled Libra: From Spraying to Preying in 2025 [Threat Vector] - CyberWire Daily

Summary6 min read

CyberWire Daily Podcast Summary: "Muddled Libra: From Spraying to Preying in 2025 [Threat Vector]"

Release Date: July 26, 2025
Host: David Moulton
Guests: Sam Rubin (Head of Unit 42, N2K Networks) and Christopher Russo (Principal Threat Researcher, Unit 42)

Introduction to Muddled Libra

The episode begins with David Moulton introducing the recurring guests, Sam Rubin and Christopher Russo, experts from Unit 42 at N2K Networks. Christopher Russo has been tracking the cybercrime group known as Muddled Libra since episode two, bringing deep technical insights to the forefront.

Quote:
David Moulton [00:02]: "You're listening to the Cyberwire Network powered by N2K."

Evolution of Muddled Libra

David Moulton outlines the significant evolution of Muddled Libra from a concentrated group to a fragmented entity with specialized teams. These teams focus on varied objectives, including ransomware deployment, cryptocurrency theft, and targeting individual users. This diversification indicates sophisticated tradecraft and adaptable fingerprints among the actors.

Quote:
David Moulton [01:38]: "We've seen a shift from being one primary focus, less than two dozen attackers really going after this supply chain, crypto-oriented attack... we track at least seven teams, each with unique objectives."

Technical Advancements in Muddled Libra's Kill Chain

Christopher Russo delves into the technical progression of Muddled Libra's kill chain in 2025. The group has transitioned from simple account theft to mass data gathering, targeting high-value cryptocurrency assets and employing destructive extortion methods. Their initial access strategies emphasize exploiting human vulnerabilities through sophisticated social engineering, such as impersonating help desk personnel.

Quote:
David Moulton [02:49]: "It's a pure social engineering model where they're calling the help desk and working their way in... very difficult to track, very difficult to stop."

Modular and Cooperative Attack Models

David discusses the modular nature of Muddled Libra's operations, highlighting their efficient use of small, specialized teams. This fluid structure allows them to deploy expertise as needed, enhancing their operational effectiveness across different industries and attack vectors.

Quote:
David Moulton [05:35]: "These attackers have understood that small teams, very liquid and fluid teams, are much more effective for operations than trying to coordinate a whole bunch of people."

Muddled Libra in the Broader Threat Landscape

Sam Rubin provides a macro view, emphasizing Muddled Libra's standout presence amidst Unit 42's numerous incident response cases. Their sophisticated techniques and persistent nature make them exceptionally impactful, surpassing even some nation-state APT groups in terms of disruption and aggression.

Quote:
Sam Rubin [06:56]: "They really stand out across all the other attack types that Unit 42 responds to, even the nation-state APT... incredibly aggressive."

Leadership and Response Planning Missteps

Sam Rubin identifies critical missteps in organizational responses to destructive extortion, notably the lack of executive-level crisis planning. He underscores the necessity for comprehensive business continuity and redundancy plans, especially for critical business applications and SaaS platforms.

Quote:
Sam Rubin [12:15]: "A lot of organizations are pretty good... but we see that fall down pretty quickly when you get into the C suite... They aren't sure what their crisis comms plan should be."

Translating Technical Risks to Business Impact

Sam elaborates on the challenges CISOs face in communicating technical risks to non-technical stakeholders. He advocates for framing threats like Muddled Libra in terms of direct, quantifiable business impacts, using relatable stories and threat modeling to make the risks tangible for the C-suite.

Quote:
Sam Rubin [15:15]: "Use really clear, direct, non-technical, relatable language... the stories of what happened to peer companies give credibility to the threat."

Challenges with Cloud Visibility

David Moulton addresses the persistent issue of inadequate cloud visibility. He emphasizes the necessity of integrating cloud logs with on-premises data to create a unified security narrative. Tools like Cortex Cloud and XIAM are highlighted as essential for stitching disparate data sources into a coherent story for SOC analysts.

Quote:
David Moulton [19:34]: "We need to make sure that we're stitching the events together that happen in the cloud with the rest of the events... one single story."

Attackers Evading Traditional Detection

David explains how Muddled Libra leverages legitimate tools such as ngrok, Cloudflare, and RMM platforms to bypass traditional Endpoint Detection and Response (EDR) systems. By exploiting trusted applications, they can perform malicious activities under the guise of legitimacy, making detection challenging.

Quote:
David Moulton [20:10]: "They're using legitimate tools against your organization... hiding under the umbrella of that legitimate tool."

Defensive Strategies Against Evolving Threats

The discussion shifts to defensive measures, where David emphasizes the importance of behavioral analytics and dynamic access controls. He advocates for AI and machine learning to identify anomalous patterns and enhance the zero-trust model, ensuring that defenses adapt to changing threats.

Quote:
David Moulton [21:12]: "We have to start thinking about behavior... utilize tools next generation that incorporate things like AI and machine learning."

The Role of Zero Trust

David argues that Zero Trust is not obsolete but requires evolution to remain effective against sophisticated threats. He suggests integrating Zero Trust deeply into security platforms, making it dynamic and risk-driven rather than static and rule-based.

Quote:
David Moulton [23:50]: "Zero trust needs to evolve into today's world... using AI to help them adapt as the business adapts."

Implications of Ransomware-as-a-Service (RaaS)

David discusses the enduring structure of RaaS, noting that Muddled Libra functions as an affiliate within this ecosystem. He warns of the continued proliferation of such models, which facilitate broader and more effective ransomware attacks.

Quote:
David Moulton [24:44]: "Nothing changes for how we've been approaching this, because extortion at its core still only works in two different ways... Model Libre is just yet another affiliate."

Impact of Recent Law Enforcement Actions

Sam Rubin highlights recent UK arrests related to Muddled Libra, praising international law enforcement collaboration. While these actions may not dismantle the group entirely, they are expected to diminish their operational capacity and serve as a deterrent to other members.

Quote:
Sam Rubin [27:51]: "It's a result of effective international law enforcement collaboration... continued law enforcement focus is going to positively move the needle."

AI's Influence on Threat Actor Capabilities

Sam addresses the emerging role of AI in enhancing the effectiveness and scalability of attacks by groups like Muddled Libra. He notes the use of generative AI and large language models (LLMs) for tasks such as deepfake voice impersonation and automating parts of the attack chain, which could exponentially increase their victim base.

Quote:
Sam Rubin [30:34]: "Muddled Libra is absolutely using AI, generative AI, and LLMs to aid and drive their attacks... automating parts of the attack chain."

Conclusion and Call to Action

The episode concludes with actionable insights for organizations to bolster their defenses against evolving threats like Muddled Libra. Emphasis is placed on proactive planning, robust access controls, data hygiene, and leveraging advanced security tools to stay ahead of sophisticated adversaries.

Final Quote:
David Moulton [32:50]: "Hopefully we can continue this conversation and we can continue to see organizations become more effective at stopping these threat groups."

Key Takeaways:

Muddled Libra's Evolution: Transition from a small, focused group to a fragmented, specialized entity targeting various sectors with advanced techniques.
Technical Sophistication: Use of social engineering, legitimate tools, and cloud platforms to evade detection and maximize impact.
Organizational Preparedness: Importance of executive-level crisis planning, business continuity, and translating technical risks into business terms.
Defensive Measures: Adoption of Zero Trust, behavioral analytics, and AI-driven tools to detect and mitigate advanced threats.
Law Enforcement Impact: Recent arrests are a positive step but not a complete solution; ongoing international collaboration is essential.
AI's Role: AI enhances threat actors' capabilities, necessitating rapid adaptation and integration of advanced security measures by defenders.

For more in-depth research and insights, listeners are encouraged to visit the Unit 42 Threat Research Center as mentioned by the hosts.

Loading summary

Transcript41 lines

[00:02]
David Moulton
You're listening to the Cyberwire Network powered by N2K.
[00:14]
Christopher Russo
Welcome to ThreatVector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for unit 42. And today I'm back with two returning guests on the podcast. Sam Rubin is the head of unit 42. With over 20 years of experience, Sam has built and led world class cybersecurity teams at the Crypsis Group in Strozfinberg. He now oversees the global consulting and threat intelligence teams at Unit 42. Christopher Russo, principal threat researcher at Unit 42, was one of the first guests appearing all the way back on episode two where we discussed early findings on the cybercrime group known as Muddled Libra. Since then, Christopher has continued tracking this evolving threat actor and published deep technical insight that help defenders counter sophisticated attacks. Today we're going to talk about Muddled Libra's resurgence in 2025, their use of destructive extortion, evolution into cloud first attacks, and the steps organizations can take to stay ahead of this fast moving adversary. Chris, it's great to have you back on the show. You were one of our first guests back on episode two and you helped introduce many listeners to Muddled Libra for the first time. How has your perspective on this group evolved since then?
[01:39]
David Moulton
So this is an incredibly interesting group because what we've seen is a shift from being one primary focus, less than two dozen attackers really going after this supply chain, crypto oriented attack. We've seen it split into different teams and these teams are structured in kind of like what you would expect to see in the video games that these Personas really like to play, where they bring in folks that have expertise or a specialty and know a particular target and a particular attack style. And each of these teams, of which we track at least seven, has unique objectives, unique actors. Some of them are deploying ransomware, some of these teams are still going after cryptocurrency. Some of these teams are even targeting individual users. But it is very interesting to see how this tradecraft evolves from the fingerprints of the individual actors.
[02:38]
Christopher Russo
Chris, from a technical perspective, how has Muddled Libra's kill chain evolved in 2025 and what does that mean for the defender's response window?
[02:49]
David Moulton
Well, what has evolved over time for this kill chain is the ability objective has changed. It's not about petty account theft anymore, but it's really about mass data gathering and looking for These high crypto whales that they're going to attack and then a split from these teams to go after organizations with a traditional extortion model. Now, the problem here is that basically any organization that has money or data is at risk for these attackers. Now, these teams that are doing the attacks are learning the industries that they're attacking. They're forming these clusters of attacks because they're going after similar organizations industry by industry. This is not true targeting of picking an organization to attack. This is familiarity driving these attacks. Now, the way that they're getting in, that's probably the most consistent aspect that we've seen across these attacks. And that's because this group targets the hardest to patch operating system humans. So they're leaning on humans to give them the access they need to get in the environment so they don't have to use a lot of technology and infrastructure. A pure social engineering model where they're calling the help desk and working their way in that way, or calling a user and convincing them to grant access to their asset. Very difficult to track, very difficult to stop. Now we're starting to see cloud be that initial access vector because they know it's a weak link for an organization. Now, when they're in the organization, that hasn't changed quite as much. We still see standard red team tactics. Establishing persistence, discovering what's in the environment, getting higher privilege access, and moving around the environment laterally. It is clear that a lot of the members of these ATT and CK groups have red teaming experience and they understand how information technology environments are structured. What they're after here is the two different things. So it's either the data that they're after, and this could be stealing intellectual property that is specific to your organization, that is of interest to these attackers, or more often, it's just about stealing data that's sensitive so they can extort you to delete it. Now, the other approach here is this destruction and encryption. And this is really just another ransomware group. And so when they're doing this, they're looking to cause as much operational disruption to your organization as they possibly can to push you to make a quick and large ransomware payment.
[05:29]
Christopher Russo
Chris, are we seeing a shift towards a more modular or cooperative attack model?
[05:35]
David Moulton
Yeah, absolutely. So what we see is these attackers have understood that small teams, very liquid and fluid teams, are much more effective for operations than trying to coordinate a whole bunch of people. So when a team leader identifies the organization and the type of attack they want to go after, they can pull in from this larger Group of attackers, just the ones necessary to pull off this attack. Now, this might be folks that understand the software that's used in the environment, or understand the business processes of the environment, or understand how to execute on what it is they're looking to looking to achieve in their objectives. So if that's deploy ransomware, if that's destroy critical business systems or if that's steal the most sensitive data, you really have the folks that are most specialized to do that on these ATT and CK teams.
[06:33]
Christopher Russo
Sam, let's pivot over to the big picture and talk to me about what does muddled Libra indicate about the broader threat landscape and maybe put muddled Libra into the context of some of the other incident response cases that the team has run. How do you see them apart from other groups?
[06:57]
Sam Rubin
Yeah, Chris, I think you did a great job detailing what this group's doing, what we're seeing, how they're evolving. But just taking a step back and looking at the big picture here, unit 42 does hundreds of IR investigations a year. We're called into the big ones when organizations really find themselves needing help and they pull the fire alarm. And across the hundreds of IRS that we do, these attacks from muddled Libra stand out when we get an inbound and we think it may be muddled Libra or the victim CL we know to get ready, right? We know we're in for a fight. We know that containment's going to be hard, that they're going to be coming back in, that the impact is potentially going to be massive. So they really stand out across all the other attack types that Unit 42 responds to, even the nation state APT. I mean this group is particularly effective and impactful and it's really the sophistication they bring. Chris mentioned how they have different teams, strike teams that have different skill sets. So yeah, we see them bringing in DevOps skills to attack the cloud. We see them bringing in different IT skills to get into different systems. We see them Even bringing in SecOps skills and using some of the tools that our clients have, the security tools they have on their enterprise. So we've seen them in a sim, we've seen them using an EDR to move laterally. So they're bringing in that sophistication. They're incredibly aggressive. Right. So most attackers, once containment starts, they move on. With muddled Libra, we see them coming back in, using persistence mechanisms in backdoor and then the impact, you know, just in the past couple of months we've seen airlines shut down We've seen grocery stores with no foods. I saw yesterday, natural foods shared that they think the impact and the loss from their attack was over 4 million. So just massive impact. The other point here in terms of what makes them stand out in the context of the bigger picture is that we think and we worry that the effectiveness of these tactics and using the approach, the social engineering and this modular method of attacking, because of its success, it's going to lead to copycat attacks. Right? When threat actors see a tactic or an approach working, you know, you tend to start to see more of it. So that's something that we're keeping a close eye on in unit 42 is are we going to see an expansion of this sophisticated social engineering approach as well as some of these other tactics, techniques and procedures?
[09:37]
Christopher Russo
Sam, we've seen model Libra weaponize help desk impersonation and social engineering to create this massive business disruption. Is there something that differentiates organizations that contain these attacks quickly from those that suffered these extended disruptions?
[09:55]
Sam Rubin
In the past month, two months, we had two different model Libra attacks that we were helping organizations out with and responding to around the same time. And, you know, they were ultimately very different. In one instance, the victim company was really knocked down, operationally impacted, took weeks to recover, a lot of persistence and ongoing attacks from muddled Libra. And the other one, though there was initial intrusion, they contained it relatively quickly. And so our team looked at it and we said, well, what's different? Like, why on one instance did this lead to something that was so disruptive and so hard to deal with, and on the other side relatively easy to contain? And one of the big differences, and I think this is an important lesson to take away for security teams, is that the company that ended up doing better, they had really strong conditional access policies on their network. So while the threat actor was able to get in via social engineering, they were able to authenticate into the account as they tried to do other things, they were actually blocked because of those conditional access policies. They were blocked from accessing Citrix, from accessing the cloud and other things. In fact, during the incident, the help desk employee, which he was totally duped, he was trying to help the scattered spider threat actor remote into different devices. And he remoted into the attacker's laptop, but he couldn't even drive the further authentication, even though he was trying, he was blocked by these conditional access policies. So that's a huge takeaway and a lesson. It's part of zero trust. It's part of least privilege access. There's a lot of different ways to implement it, whether it's identity and access management or on the network layer using a next gen firewall where you have Palo Alto networks, where you have things like app ID and user id, these are great controls and countermeasures to stop this type of attack.
[12:02]
Christopher Russo
Sam when threat actors pivot to destructive extortion, the response is no longer just technical, it becomes strategic. What are some missteps you've seen in leadership's response planning?
[12:16]
Sam Rubin
Yeah, so when an attack moves to disruption, David, it's changing the game. We're not just talking about some encryption and paying even a multimillion dollar ransom. We're talking about fundamentally being unable to operate an airline can't fly, grocery store doesn't have food on the shelves, hotel can't book customers. And so this is upping the game. And it is what we're seeing. So it takes it out of the IT and security arena and puts it squarely in the C suite. It puts it in front of the board. You asked about some of the missteps and in doing a lot of these responses over the past couple of years, there are some commonalities that we see. And one of the big ones is a lack of planning at the executive level. So a lot of organizations are pretty good these days, you know, at doing tabletop exercise within the soco. Their security leader, their forensics and SOC team are drilled pretty well. But we see that fall down pretty quickly when you get into the C suite. And they're not sure, you know, what their crisis comms plan should be. They're not sure which vendors are impacted or who to reach out to. And so that is something that we see, something organizations need to do a lot more regularly and proactively to get ahead. The other one is not having a business process redundancy plan in place when it comes to critical business applications. So what do you do? For example, if you're in hospitality and your booking systems go down, what is your failover plan? Especially as companies use SaaS applications, it becomes a sort of single point of failure. You know, we helped one company that was that SaaS application and there was massive impact for their customers when they went down and those customers didn't have a secondary fallback ERP capability to serve their customers. So what do you do about it? You elevate that cyber crisis to the board level. When you test, you validate your redundancy plan with respect to business process. You pre plan those crisis communications, you Talk to your 3rd party vendors, your key Vendors about what would happen in the event of an incident and what do they need to come back in post incident as you're doing that cleanup and recovery, all those things need to be done proactively, hopefully before you're facing the real fire.
[15:03]
Christopher Russo
Many CISOs struggle to translate the technical risk to business impact. How should teams articulate the risk muddled Libra poses to stakeholders outside of security?
[15:16]
Sam Rubin
Yeah, I think what's really helpful here is framing the technical capabilities that muddled Libra has in terms of the direct, quantifiable business impact that they can have and using really clear, direct, non technical, relatable language. Right. Like it fundamentally comes down to the stories. We all gravitate to the stories of what is happening and what has happened to maybe peer companies in our industry. And those tend to have sort of the biggest impact in terms of getting the attention from the C suite and stakeholders for the need to take action. So the stories of what happened is what gives the, the threat the credibility. But then that, then you need to take that and you need to do threat modeling for what it could mean for your organization to make it real and quantifiable in terms of impact. So you know, we see for example in, in the retail industry that the food supply chain went down because of what happened, you know, with Marks and Spencer and a couple of other industries or businesses. What would that look like at our company? How would we, we know what we're doing from a daily standpoint in terms of revenue. We know that if certain things went down, what that might impact. Do the math, quantify it out. How many millions of dollars of lost revenue per day would there be in terms of operational downtime? What are the systems impacted, what are the redundancies or remediation steps that you could take to mitigate that? So again, using those real world examples of what's happened and bringing that into your organization is how I think you can translate that technical risk to business impact.
[17:39]
Christopher Russo
Chris, let me bring it back to you. You've highlighted the abuse of cloud platforms like SharePoint and Snowflake. Why is cloud visibility still lagging in many environments and how can teams close that gap?
[17:53]
David Moulton
You know, the challenge is the cloud is not soft and fuzzy. The cloud is hard and scary. And there's really opportunities for all of us in the security industry to tackle this problem. So from a vendor perspective, we need to find out how to make the cloud easier to secure, how to make it more standardized, and from a security team perspective, unfortunately, we just have to learn how it works now which is complex. What we've seen happen is the cloud is almost fallen back on DevOps and developers to do their own security because of how complex it is. And we need to pull that back into the security group and make sure that we have the same level of security on it as we do on the rest of our on prem assets. And that's because the bad guys have figured this out, and they know that it's a soft target. And as we continue to put more and more key business functionality into it and data into it, that's only going to attract more attention. Right. What do we actually do here? We need to make sure that we have real visibility into these cloud logs, that we're pulling them into a single place, a single platform, a single pane of glass. And we need to make sure that we're stitching the events together that happen in the cloud with the rest of the events and the rest of the things going on in our organization, so that our security teams are looking at one single story, no matter where the chapters are playing out.
[19:28]
Christopher Russo
Chris, what telemetry sources are most effective in identifying abnormal behavior?
[19:34]
David Moulton
Well, the problem that we have is the inability today to stitch together the logs that we're seeing in the cloud with what's happening on Prem. And this is really where tools like Cortex Cloud and XIAM come in to be able to take all of that disparate data, all of those different data sources that don't necessarily match, and make them into one consistent, coherent story for our soc to watch and analyze.
[20:00]
Christopher Russo
Chris, can you unpack how attackers are evading traditional detection through tools like ngrok? Try cloudflare and legitimate RMM platforms.
[20:10]
David Moulton
Yeah, and I think what we've seen here is that the EDR game over the last couple of years has really solved the malware problem. So malicious applications are getting caught and stopped, and they're not effective for attackers to use anymore. So it's necessitated this shift to living off the land and exploiting the trust of applications that are allowed to run in your environment. And so what we're seeing is they're using your own tools or they're using legitimate tools against your organization. This could be remote management tools that are trusted and signed by vendors. This could be legitimate cloud services like tricloudflare, and it allows them to carry out malicious activity while hiding under the umbrella of that legitimate tool. And what we've seen specifically with Model Libra is that the members of this group tend to have deep IT experience. They know how these tools work, and they know how to exploit them.
[21:06]
Christopher Russo
What specific detections or rule sets should defenders prioritize in their SIM or xdr?
[21:13]
David Moulton
Well, this is where we have to start to think about behavior. We have to start thinking about things like velocity, like how are things changing in our environment, how patterns are evolving in our environment. And the reason I say that is because traditional rule sets of this is bad, this is good don't apply for this type of attacker. They know what you're going to see is bad, and they're going to walk around that by trying to appear to be a legitimate user. So what we're looking for is we're looking for changes in user behavior and user patterns. And this is where we can utilize tools next generation that incorporate things like AI and machine learning to understand the patterns from a macro level in our organization and really be able to zoom in on that micro level when they change and boil that up to the sock. We're getting rid of the noise, right? So what we're looking for when we're building out this defense is what changed in the environment and why did it change? What bad thing is evolving out of the good, normal things that we see every day?
[22:24]
Christopher Russo
Chris, with attackers now moving laterally through systems like EDR and cloud orchestration tools, how should defenders rethink internal trust models?
[22:34]
David Moulton
Well, so we need to take the methods that work role based access control, conditional access policies, and privileged access management and bring those into the current world, right? And so what I mean by that is we need dynamic conditional access management to make sure that when you're trying to access something that creates greater risk, we're doing more authentication on that. For role based access control, we need to make sure that we're monitoring that and we're stripping away privileges that individuals don't need anymore so that those forgotten privileges can't be used against the organization. When we talk about privileged access management, we need to bring a temporal view into that. So we're only granting elevated rights when a user needs them for as long as they need them, and then we're taking that away so that those rights just aren't kind of floating out there. Because what we've seen model Libre do is use forgotten accounts, use neglected access models, and use that against the organization to get into tools that the user that they're emulating normally wouldn't even need to be in.
[23:44]
Christopher Russo
Is zero trust a meaningful defense here or is it more of an aspirational goal?
[23:51]
David Moulton
So, contrary to popular belief, zero trust is not dead, but zero trust needs to evolve in today's world. And what do I mean by evolving into today's world? I mean, we need to see it become part of the platform that we use for security. And we need to see it move away from an implicit trust model, from rules that we set up and put in place and then forget about. To be dynamic, to be driven by risk, and to change based on the environment and how that changes. And the way we're going to accomplish that is by using AI in these tools to help them adapt as the business adapts.
[24:32]
Christopher Russo
Let's talk about partnerships with Dragonforce and other ransomware as a service operators. What are the implications for ransomware playbooks going forward?
[24:44]
David Moulton
Well, I have some good news for you here, at least a little bit. And the good news is that nothing changes for how we've been approaching this, because extortion at its core still only works in two different ways. You're either extorting the organization by threatening to leak their data that you've stolen, or you're extorting the organization by causing operational disruption that will only stop if they pay a ransom. Now, using the tools that we have today, we can address both of those ahead of time. First of all, on the data side, if it's data you don't have, you can't lose it. So this goes back to good data hygiene, deleting data you don't need, archiving data that's not necessary for day to day operations and making sure that only the folks that need access to the data have access to the data for the time that they need it and then take that access away. And the reason you're doing that is because then that data is not available to be stolen later. Now, on the operational disruption side, this is the good old story of business continuity and disaster recovery planning. But when we're thinking about disaster recovery planning, we need to be thinking about our assets that are in the cloud as well. So we've seen this group attack assets, specifically virtual assets, in a destructive way through the asset's own management tools, going into things like ESXI and deleting virtual machines by using cloud access platforms to go into your environment and destroy key business systems. And so we need to make sure that we have a way to very quickly bring those back up when they're impacted, and then we have very minimal downtime so that there's no need to pay a ransom to have the attackers restore these assets for us.
[26:34]
Christopher Russo
Are these alliances more opportunistic or maybe indicative of a deeper underground ecosystem?
[26:42]
David Moulton
You know, the GIF with the astronaut floating in Space and the other astronauts behind them and says always has been. Well, this is the case here too. So ransomware as a service is basically the same as it always has been. Monolibre is just a new affiliate now. We could do an entire show on ransomware as a service and how it's structured, but really we have three pieces in a ransomware as a service organization. We have your initial access brokers that are getting you into the environment, we have your ransomware as a service providers which are really handling all of the heavy lifting of the attack. And then we have the affiliates that are just using these two pieces to carry out the attack. Model Libre is just yet another affiliate using the tools that are already out there for these ransomware attacks. There's no reason to think that it's going to stop with this one provider because it has been successful. We're going to continue to see this technique used.
[27:41]
Christopher Russo
Sam, I'm going to take it back to you. How significant are these recent UK arrests tied to scattered spider attacks on Marks and Spencer and other retailers?
[27:52]
Sam Rubin
We've actually seen multiple arrests of muddled Libra members over the past year or so, including a number of high profile arrests coming out of UK in the past couple of weeks. This is a great development, really a result of effective international law enforcement collaboration. And we actually think that this, well, it's not going to stop muddled Libra. It's absolutely going to diminish their capacity to carry out their attacks and do harm. And this is also hopefully going to serve as deterrence for other members of the group where they see actually there are repercussions, they're not immune, they can get caught, taken in. And so, you know, we've seen that deterrence effect work, you know, like when we, we saw the Conti ransomware group get taken down. So we are very optimistic and positive that this is a step in the right direction. I think because of their very distributed, you know, global nature with the different teams working in different areas. It's not going to, it's not going to, it's not the end of muddled Libra, but it's a step in the right direction. And we think that continued law enforcement focus, which Unit 42 is absolutely supporting, is going to positively move the needle in the long run.
[29:09]
Christopher Russo
Chris, Law enforcement has linked the MNS and co op attacks to scattered spider which overlaps with what unit 42 tracks as muddled Libra. From a technical standpoint, what evidence makes those connections?
[29:21]
David Moulton
Reliable attribution is incredibly difficult for threat intelligence researchers. But what's key is that attackers leave fingerprints, especially small groups like Modelibra, and those fingerprints end up becoming signature tradecraft for the attackers. So in a lot of ways, the team based structure of model Libra, small groups of attackers actually make this tracking easier for us. And these ATT and CK teams flip the attribution goal. And so when we talk about traditional attribution to a nation state, it's relatively consistent here. What we see is a HYDRA model. So when we have law enforcement action take out an individual member, new members pop up. But what we can do is continue to follow those new members, what they've learned from the old members and how that has changed, and use that to tune our attribution models to make sure that we understand who is responsible and how they're responsible for these attacks.
[30:23]
Christopher Russo
All right, Sam, the topic that's on everyone's mind, AI. How is this new technology poised to change the game for threat actors like Muddled Libra?
[30:35]
Sam Rubin
This is a topic on Unit 42's mind as well. And we are absolutely tracking what the threat actors are doing, what Muddled Libra is doing with AI. What is the art of the possible. You know, we look at that in our offensive security research in using AI. And muddled Libra is absolutely using AI, generative AI and LLMs to aid and drive their attacks. We've seen, for example, the use of deepfake voice in targeting the IT help desk to change creds and get access to. We've seen some use of a copilot to try to navigate and move laterally in a network. But I believe, and I think we're still early days in terms of their adoption of LLM and integration into ATTCK chains. So the impact of this is that ultimately it makes their tactics more effective, it makes them faster, and it gives them greater ability to scale. And I think one of the ways to think about this is, you know, imagine a zero day. And so if we go back, for example, to think about what happened with SolarWinds, something that, you know, we're all very familiar with, at that point in time, there were about 20,000 different victim organizations that had the vulnerable version of SolarWinds. And so the threat actors at that time, the APT group, you know, sort of had an overabundance of targets and not enough resources to essentially exploit and take advantage of all the access they had. Right. So ultimately what we ended up seeing was a couple of thousand victims instead of all 20,000. So now layer in AI, layer in LLM, where you can start to automate parts of the attack chain and you know, 1,000 victims goes to over 10,000 or more. And so I think that's sort of the power and danger of AI enabled attack paths. And again, early days, but something that we're keeping our eye on.
[32:38]
Christopher Russo
Sam, Chris, thanks so much for being here today. We have a link to the research in our show notes and you can always find it on the Unit 42 Threat Research Center.
[32:47]
Sam Rubin
Yeah, thanks so much for having us on, David. Always great to be here.
[32:50]
David Moulton
David, thanks again for having me back. It's great to be here. Hopefully we can continue this conversation and we can continue to see organizations become more effective at stopping these threat groups groups.
[33:12]
Christopher Russo
That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about on the show. You can also reach out to me directly@threatvectoraloaltonetworks.com I want to thank our executive producer, producer Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecourt and Virginia Tran. Eloy Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.