0:02

You're listening to the CyberWire Network, powered

0:04

by N2K. It's

0:09

not always possible from an investigative side

0:11

to be able to tell whether AI

0:13

is used. And honestly, it's not always

0:15

our goal. We're really focused

0:18

on ejecting the threat actor from the environment

0:20

and getting our clients back up and running.

0:29

Welcome to Threat Vector, a segment where

0:31

Unit 42 shares unique threat intelligence insights,

0:34

new threat actor TPTs, and real

0:37

world case studies. Unit

0:39

42 is a global team of

0:41

threat intelligence experts, incident responders, and

0:44

proactive security consultants dedicated

0:46

to safeguarding our digital world. I'm

0:49

your host, David Moulton, Director of Thought Leadership for

0:51

Unit 42. In

1:03

today's episode, I'm going to talk with

1:05

Stephanie Regan, a senior consultant with Unit

1:08

42. Stephanie started

1:10

her career in law enforcement and now

1:12

specializes in compromised assessment and incident response.

1:18

In our last episode, I spoke with Chris

1:20

Russo, a senior threat researcher with

1:23

Unit 42 focused on ransomware and

1:25

cybercrime about muddled Libra. Chris

1:27

was painted a picture of a determined and

1:29

dangerous adversary. Today I

1:31

want to talk with Stephanie to hear her

1:33

insights and advice when it comes to responding

1:35

to an attack from muddled Libra in groups

1:37

like them. To

1:39

kick us off, can you share the number of

1:42

matters that you've been involved with when it comes

1:44

to muddled Libra? Yeah,

1:46

my numbers are likely a little higher

1:49

since we're not always confident on attribution.

1:51

However, I've worked definitely at least a

1:53

half dozen cases with muddled Libra. Can

1:57

you share a detail or an insight from a matter that

1:59

really... sticks out to you. One

2:02

of the things that really sticks

2:04

out to me about Muddle Libra

2:06

cases has been the reconnaissance portion

2:08

of the investigation. A lot of

2:10

the times we see threat actors doing a really

2:13

light reconnaissance, trying to figure out where

2:15

they're at in the environment and how

2:17

they can navigate. I've seen them deep

2:20

dive the how-to and the technical docs.

2:22

They're really trying to get a really

2:24

deep understanding of the environment and how

2:26

to connect and change their level of

2:28

persistence as well as further their access

2:30

into the environment. These

2:42

approaches are really successful because it's

2:44

focused on that human factor. People

2:47

are focused on their jobs, getting

2:49

their jobs accomplished. MFA is a

2:51

huge must and moving towards more

2:54

secure methods of MFA, getting away

2:56

from using SMS for our multi-factor

2:58

authentication. Really thinking about

3:01

where is your data stored when

3:03

it comes to help desk information.

3:05

We've seen phishing and spoofing

3:08

of help desk personnel. So really

3:10

thinking critically about where is the

3:13

information that the user might

3:16

use to reset their password through the help desk.

3:18

One of the things that we've talked about

3:20

that they use a lot of is domain

3:23

typosquatting and also buying access from initial access

3:25

brokers. Things like dark web

3:27

and domain monitoring can also help in

3:29

these situations to help you know quickly

3:32

when credentials might be available on the

3:34

dark web or when you have

3:37

certain things like mistyped domains

3:40

and slightly misconfigured domain

3:43

URLs that have been developed

3:45

and are created that spoof your

3:48

sites. Stephanie,

3:50

tell our listeners what it takes to help a

3:52

client recover from one of these attacks. Especially

3:56

with a muddled labor attack, I think

3:58

moving quickly to understand the level

4:00

of persistence that has been able to

4:03

be obtained at the time of detection

4:05

is really important. IR playbooks

4:07

are essential, knowing the actions that you're going

4:09

to need to take before you're

4:11

in the emergency environment. Password

4:14

resets, asset resets, those have

4:16

to have a plan around them, because when you're in

4:18

large environments and you're

4:20

trying to reset passwords for

4:23

thousands of users, that's very difficult.

4:26

It's going to be kind of that wackable

4:28

game to keep kicking them out of

4:30

one account, but they can use another one to get right

4:33

back in. Another

4:35

crucial piece with Muddle Libra and many

4:37

threat actors today is getting

4:39

out of band comms very quickly as

4:41

well. A lot of threat actors, including

4:43

Muddle Libra, like to

4:45

sit on and listen to whatever your chat

4:47

platform of choice is and

4:49

trying to understand what actions the IT team

4:52

and maybe the investigators are taking. Getting

4:55

out of band and being able to really coordinate your

4:58

approach quickly to get your

5:00

environment reset is very important. Final

5:04

question for you. Do you expect that there will

5:06

be copycat groups out there that take

5:08

Muddle Libra's playbook and use it, expand

5:10

on it? I

5:13

think that the idea of copycats is an

5:15

interesting one in this era of cyber, being

5:18

able to see the success of Muddle Libra and

5:20

other groups like them and have enough

5:22

information about them to be able to copy.

5:26

Definitely, I can see people doing that. However,

5:28

one of the things to keep in mind is that we

5:30

hear a lot about like RAS, ransomware

5:32

as a service, initial access brokers

5:34

and things like that. So

5:36

we're seeing a lot of blending

5:39

of TTPs, IOCs, indicators, but also

5:41

as far as that goes, things

5:43

that look like the same threat

5:45

actor that might be slightly different

5:47

because they're sharing resources and have

5:50

really become this complex marketplace today.

5:57

Stephanie, thanks for joining me today on Threat Factor

5:59

and for sharing your... Inside some experience

6:01

defending against muddled libra. If

6:03

you're interested in reading more about this thread,

6:05

Aca group is Athena Forty Two Threat Research

6:08

Center and look for the Threat Group assessment

6:10

on not a Libra. Will.

6:12

Be back on the cyber wire daily

6:14

in two weeks! Until then, Stacey Care.

6:17

To stay. Vigilant, Bye

6:19

for now. In

6:29

a complex world of enterprise

6:31

identity securing, legacy web apps

6:33

at scale can be daunting.

6:35

Strata Identity makes it simple.

6:38

Strata You can effortlessly integrate

6:40

nonstandard apps with any identity

6:42

service like an essay or

6:44

Ssl with zero coding and

6:46

zero hassle. Designed by Identity

6:49

Architects for Identity Architects, Strata

6:51

works with every vendor standard

6:53

and app. Architecture is means

6:55

your apps and now speak

6:57

modern protocols. And integrate seamlessly

7:00

with your toes in identity

7:02

services. From securing on Pram

7:04

web apps, the migrating away from

7:06

outdated identity providers or consolidating them

7:08

Strata helps you keep your

7:10

complex access policies as you

7:12

modernize your identity infrastructure and get

7:15

rid of technical debt. Join.

7:17

Leading organizations like Three Am,

7:20

Dallas County and See I

7:22

B C in securing your

7:24

apps with Strata, visit Strata.ios

7:27

Slashed Cyber Wire. Share your

7:29

identity security priorities and receive

7:31

a complimentary pair of air

7:34

pods pro offer valid for

7:36

organizations with over five thousand

7:38

employees. Connect today as Strata.i

7:41

Know/cyber Wire.