Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
You're listening to the CyberWire Network, powered
0:04
by N2K. It's
0:09
not always possible from an investigative side
0:11
to be able to tell whether AI
0:13
is used. And honestly, it's not always
0:15
our goal. We're really focused
0:18
on ejecting the threat actor from the environment
0:20
and getting our clients back up and running.
0:29
Welcome to Threat Vector, a segment where
0:31
Unit 42 shares unique threat intelligence insights,
0:34
new threat actor TPTs, and real
0:37
world case studies. Unit
0:39
42 is a global team of
0:41
threat intelligence experts, incident responders, and
0:44
proactive security consultants dedicated
0:46
to safeguarding our digital world. I'm
0:49
your host, David Moulton, Director of Thought Leadership for
0:51
Unit 42. In
1:03
today's episode, I'm going to talk with
1:05
Stephanie Regan, a senior consultant with Unit
1:08
42. Stephanie started
1:10
her career in law enforcement and now
1:12
specializes in compromised assessment and incident response.
1:18
In our last episode, I spoke with Chris
1:20
Russo, a senior threat researcher with
1:23
Unit 42 focused on ransomware and
1:25
cybercrime about muddled Libra. Chris
1:27
was painted a picture of a determined and
1:29
dangerous adversary. Today I
1:31
want to talk with Stephanie to hear her
1:33
insights and advice when it comes to responding
1:35
to an attack from muddled Libra in groups
1:37
like them. To
1:39
kick us off, can you share the number of
1:42
matters that you've been involved with when it comes
1:44
to muddled Libra? Yeah,
1:46
my numbers are likely a little higher
1:49
since we're not always confident on attribution.
1:51
However, I've worked definitely at least a
1:53
half dozen cases with muddled Libra. Can
1:57
you share a detail or an insight from a matter that
1:59
really... sticks out to you. One
2:02
of the things that really sticks
2:04
out to me about Muddle Libra
2:06
cases has been the reconnaissance portion
2:08
of the investigation. A lot of
2:10
the times we see threat actors doing a really
2:13
light reconnaissance, trying to figure out where
2:15
they're at in the environment and how
2:17
they can navigate. I've seen them deep
2:20
dive the how-to and the technical docs.
2:22
They're really trying to get a really
2:24
deep understanding of the environment and how
2:26
to connect and change their level of
2:28
persistence as well as further their access
2:30
into the environment. These
2:42
approaches are really successful because it's
2:44
focused on that human factor. People
2:47
are focused on their jobs, getting
2:49
their jobs accomplished. MFA is a
2:51
huge must and moving towards more
2:54
secure methods of MFA, getting away
2:56
from using SMS for our multi-factor
2:58
authentication. Really thinking about
3:01
where is your data stored when
3:03
it comes to help desk information.
3:05
We've seen phishing and spoofing
3:08
of help desk personnel. So really
3:10
thinking critically about where is the
3:13
information that the user might
3:16
use to reset their password through the help desk.
3:18
One of the things that we've talked about
3:20
that they use a lot of is domain
3:23
typosquatting and also buying access from initial access
3:25
brokers. Things like dark web
3:27
and domain monitoring can also help in
3:29
these situations to help you know quickly
3:32
when credentials might be available on the
3:34
dark web or when you have
3:37
certain things like mistyped domains
3:40
and slightly misconfigured domain
3:43
URLs that have been developed
3:45
and are created that spoof your
3:48
sites. Stephanie,
3:50
tell our listeners what it takes to help a
3:52
client recover from one of these attacks. Especially
3:56
with a muddled labor attack, I think
3:58
moving quickly to understand the level
4:00
of persistence that has been able to
4:03
be obtained at the time of detection
4:05
is really important. IR playbooks
4:07
are essential, knowing the actions that you're going
4:09
to need to take before you're
4:11
in the emergency environment. Password
4:14
resets, asset resets, those have
4:16
to have a plan around them, because when you're in
4:18
large environments and you're
4:20
trying to reset passwords for
4:23
thousands of users, that's very difficult.
4:26
It's going to be kind of that wackable
4:28
game to keep kicking them out of
4:30
one account, but they can use another one to get right
4:33
back in. Another
4:35
crucial piece with Muddle Libra and many
4:37
threat actors today is getting
4:39
out of band comms very quickly as
4:41
well. A lot of threat actors, including
4:43
Muddle Libra, like to
4:45
sit on and listen to whatever your chat
4:47
platform of choice is and
4:49
trying to understand what actions the IT team
4:52
and maybe the investigators are taking. Getting
4:55
out of band and being able to really coordinate your
4:58
approach quickly to get your
5:00
environment reset is very important. Final
5:04
question for you. Do you expect that there will
5:06
be copycat groups out there that take
5:08
Muddle Libra's playbook and use it, expand
5:10
on it? I
5:13
think that the idea of copycats is an
5:15
interesting one in this era of cyber, being
5:18
able to see the success of Muddle Libra and
5:20
other groups like them and have enough
5:22
information about them to be able to copy.
5:26
Definitely, I can see people doing that. However,
5:28
one of the things to keep in mind is that we
5:30
hear a lot about like RAS, ransomware
5:32
as a service, initial access brokers
5:34
and things like that. So
5:36
we're seeing a lot of blending
5:39
of TTPs, IOCs, indicators, but also
5:41
as far as that goes, things
5:43
that look like the same threat
5:45
actor that might be slightly different
5:47
because they're sharing resources and have
5:50
really become this complex marketplace today.
5:57
Stephanie, thanks for joining me today on Threat Factor
5:59
and for sharing your... Inside some experience
6:01
defending against muddled libra. If
6:03
you're interested in reading more about this thread,
6:05
Aca group is Athena Forty Two Threat Research
6:08
Center and look for the Threat Group assessment
6:10
on not a Libra. Will.
6:12
Be back on the cyber wire daily
6:14
in two weeks! Until then, Stacey Care.
6:17
To stay. Vigilant, Bye
6:19
for now. In
6:29
a complex world of enterprise
6:31
identity securing, legacy web apps
6:33
at scale can be daunting.
6:35
Strata Identity makes it simple.
6:38
Strata You can effortlessly integrate
6:40
nonstandard apps with any identity
6:42
service like an essay or
6:44
Ssl with zero coding and
6:46
zero hassle. Designed by Identity
6:49
Architects for Identity Architects, Strata
6:51
works with every vendor standard
6:53
and app. Architecture is means
6:55
your apps and now speak
6:57
modern protocols. And integrate seamlessly
7:00
with your toes in identity
7:02
services. From securing on Pram
7:04
web apps, the migrating away from
7:06
outdated identity providers or consolidating them
7:08
Strata helps you keep your
7:10
complex access policies as you
7:12
modernize your identity infrastructure and get
7:15
rid of technical debt. Join.
7:17
Leading organizations like Three Am,
7:20
Dallas County and See I
7:22
B C in securing your
7:24
apps with Strata, visit Strata.ios
7:27
Slashed Cyber Wire. Share your
7:29
identity security priorities and receive
7:31
a complimentary pair of air
7:34
pods pro offer valid for
7:36
organizations with over five thousand
7:38
employees. Connect today as Strata.i
7:41
Know/cyber Wire.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More