Under attack: Hacker groups

Vol 47: Issue 2 | July 2024

In short

• Hackers are targeting IT help desks to trick people into providing access to organisations’ systems and data.
• Cybercriminals are using a range of adaptive and sophisticated techniques to exploit opportunities, meaning that vigilance and educating staff are critical to preventing breaches.
• Out-of-hours help desk requests, logins from strange locations or a barrage of multifactor authentication attempts are all indicators a cyber attack might be underway.

Just like businesses, cybercriminals are also on their own digital transformation journey: they are constantly looking for new and innovative ways to infiltrate organisations.

At the top of the list of potential threats are breaches resulting from social engineering, a tactic where hackers trick employees, suppliers or contractors into revealing confidential information, clicking on malicious links or providing entry to IT systems.

A particularly menacing group that is successfully using social engineering tactics is Muddled Libra, also known as Star Fraud, UNC3944, Scatter Swine or Scattered Spider.

Over the past two years, these hackers have largely infiltrated organisations via IT help desks and are now believed to be also targeting cloud service providers and software as a service (SaaS) applications to steal data.

The group has already been linked to several high-profile cyber-attacks. One example is the September 2023 attack on MGM Resorts, where Muddled Libra used multifactor authentication fatigue attacks (numerous authentication requests) to gain access to the network.

The attack resulted in systems across the conglomerate’s 30-plus hotels and casinos around the globe being offline for more than 10 days, leading to substantial revenue loss.

In the same week, Muddled Libra attacked Caesars Entertainment, gaining access to various parts of the customer infrastructure and causing widespread disruption.

According to an Incident Response Report from Unit 42 at Palo Alto Networks, Muddled Libra is believed to be primarily made up of operatives from the United States and the United Kingdom.

Unlike some other hacking groups, members have strong English language skills and a clear strategy for breaches — including targeting clients downstream from the initial breach.

“They are in it for the money. Their ransom demands are very large, often in the tens of millions of US dollars. And, of course, they demand payment in cryptocurrency,” says the report.

Here’s what we know about Muddled Libra, the techniques they are using and what insurers and their clients should be doing to protect themselves.

Zero-day vulnerability

Software often has security vulnerabilities that hackers can exploit before developers have time to fix the problem. This is known as a ‘zero-day’ attack.

Groups like Muddled Libra find those vulnerabilities and then impersonate IT staff or help desk personnel to trick employees into sharing their credentials. Or, they convince the user to perform an action like opening a file or visiting a malicious website. Doing so downloads the attacker’s malware, which infiltrates the user’s files and steals confidential data.

“They also use phishing, push bombing and SIM swap attacks to gain unauthorised access to networks,” says Faisal Yahya, cybersecurity strategist at Vantage Point Security in Indonesia.

“These tactics typify an advanced persistent threat [APT], where sophisticated groups utilise various tactics, techniques and procedures — including social engineering and zero-day exploits — to infiltrate a network and steal confidential data over an extended period.

“It is a very methodical operation, and it takes time. The frequency of attacks is actually small, but the impact of an attack is massive. Essentially, once the vulnerabilities have been located, the APT group will sell the zero-day to the highest bidder.”

What are the warning signs?

Vigilance is a must when it comes to cybersecurity, says Tom Roberts, manager of threat and incident response at cybersecurity adviser CERT NZ.

“Often there is not just one particular thing happening,” he explains. “You need to make sure you are across everything and that when you’re not necessarily looking at something in particular, the defences are holding up well enough.”

Roberts says classic network-infiltration strategies used by groups such as Muddled Libra include: out-of-hours help desk requests, logins from strange locations or devices, people tampering with logs, a barrage of multifactor authentication attempts against a single target or multiple password attempts.

Despite the growing threat posed by Muddled Libra, no arrests have been made public. This means organisations need to take proactive measures to protect their networks, says Yahya.

There are some simple steps to take, he suggests. In addition to implementing strong password policies and multifactor authentication, businesses should keep all operating systems, software and firmware up to date and educate employees on phishing tactics.

“Organisations should also implement application controls to manage and control software execution. Regular auditing of remote-access tools can help identify any unauthorised software or abnormal usage patterns,” says Yahya.

“The effectiveness of these measures depends on proper configuration and management. Investing in the right tools and expertise is also important. These should be integrated into a comprehensive security posture, with additional layers like threat detection and incident response.”

Human touch

Gill Collins, head of cyber at Marsh McLennan Pacific, says that clients who see cybersecurity and cyber risk as a whole-of-business risk may be far better prepared to respond to these cyber threats.

“An executive team should consider cyber risk management really seriously, and they need to activate that kind of culture throughout the whole of the organisation, so that cyber risk is recognised as a real business risk and that people are well-versed in how to respond accordingly,” she explains.

Recognising that the breach may occur because of the actions of employees is also crucial, adds Roberts.

“We need to shift our focus from purely technical vulnerabilities to a more holistic approach that prioritises social engineering threats, because in most businesses — including those in the insurance industry — the weakest link isn’t always the software; sometimes it’s the person behind the screen.”

This means integrating social-engineering awareness training and phishing simulations into employee security education programs.

“Essentially, it’s about training your employees,” says Roberts, “or your employees will train the hackers.” 

The weakest (supply chain) link

“One of the top issues that we’re continually talking to our clients about is how to manage potential vulnerabilities in their digital supply chain,” says Gill Collins, head of cyber at Marsh McLennan Pacific.

“There is an increasing frequency of cyber-attacks that stem from infiltration through third-party technology providers who have access to clients’ systems or data.”

Collins says that, from an insurance perspective, customers who are using either outsourced business operations, cloud service providers, or SaaS platforms and applications may be at a greater risk because that’s exactly what Muddled Libra is targeting.

“With new cybersecurity risks emerging daily, the weakest link is often us humans, which means the safest approach is educating people on what to look out for."

“Our advice to businesses who are about to enter an agreement with a supplier that will have access to any of their critical information technology assets is to take the time to understand what controls and risk management procedures they have in place around cybersecurity,” she says.

“Specify your minimum cybersecurity standards in the contract, as well as your right to review those standards on a regular basis, so that you can see whether they’re actually upholding their end of the bargain.” 

Lessons from the CrowdStrike outage

Though widespread IT outages on 19 July 2024 stemmed from a software update released by global cybersecurity firm CrowdStrike, as opposed to malicious activity, hackers were quick to take advantage.

The Australian Signals Directorate’s Australian Cyber Security Centre reported that a number of malicious websites and unofficial code were being released claiming to help entities recover from the incident. CrowdStrike Intelligence likewise received reports that threat actors were conducting the following activity:

• Sending phishing emails posing as CrowdStrike support to customers.
• Impersonating CrowdStrike staff in phone calls.
• Posing as independent researchers, claiming to have evidence the technical issue was linked to a cyber-attack and offering remediation insights.
• Selling scripts purporting to automate recovery from the content update issue.

In addition to exposing CrowdStrike users to criminal opportunists, the disruptions highlighted the dangers of relying solely on single providers for software.

Tom Worthington, an honorary lecturer in the School of Computing at the Australian National University, told SBS News that if someone’s entire business depends on one particular software product working, they need to make sure they have alternatives.

“These things will happen from time to time,” he said, “but you’ve got to make sure it doesn’t take out everything.”

Read this article and all the other articles from the latest issue of the Journal e-magazine.

Read issue 2 of the Journal