{ "id": "3c3d19bc-922d-4897-ace9-2c9005f031d9", "created_at": "2026-04-06T00:15:26.552538Z", "updated_at": "2026-04-10T03:30:52.048313Z", "deleted_at": null, "sha1_hash": "39819aca78b91cdee315d46eee85d333d2698721", "title": "Muddled Libra’s Evolution to the Cloud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1094130, "plain_text": "Muddled Libra’s Evolution to the Cloud\r\nBy Margaret Kelley\r\nPublished: 2024-04-09 · Archived: 2026-04-05 19:56:39 UTC\r\nExecutive Summary\r\nUnit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service\r\n(SaaS) applications and cloud service provider (CSP) environments. Organizations often store a variety of data in\r\nSaaS applications and use services from CSPs. The threat actors have begun attempting to leverage some of this\r\ndata to assist with their attack progression, and to use for extortion when trying to monetize their work.\r\nMuddled Libra also uses the legitimate scalability and native functionality of CSP services to create new resources\r\nto assist with data exfiltration. All CSPs have terms of service (TOS) policies that explicitly prohibit activities like\r\nthose performed by Muddled Libra.\r\nThis article covers the following:\r\nVarious access methodologies that are used for SaaS environments and CSPs\r\nCommon exploits\r\nData reconnaissance\r\nTactics to abuse CSP services for data exfiltration\r\nAll these methods follow a detectable pattern and mitigations can be implemented based on these patterns to\r\nprotect an organization. With environments evolving to use more SaaS applications and a variety of CSPs,\r\norganizations need additional protections to secure their resources and those listed below can help protect them.\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nPrisma Cloud provides detection, alerting and mitigation operations across several components within\r\nmulticloud and hybrid environments.\r\nThe Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a\r\nproactive assessment to lower your risk.\r\nAmazon Web Services (AWS) and Azure customers are protected by the threats discussed through the following\r\nservices:\r\nAmazon GuardDuty alerts organizations to abnormal activity within their environment.\r\nAWS Security Hub aggregates security settings and findings from a variety of AWS services and third\r\nparty tools.\r\nAWS IAM Access Analyzer and AWS principle of least privilege security best practices provides\r\norganizations with the tools and information to secure their identity and access management (IAM)\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 1 of 10\n\nresources.\r\nAzure provides recommendations for the best ways to monitor and detect threats within the Azure\r\nplatform.\r\nMicrosoft least privileged access documentation provides information about how organizations can secure\r\ntheir permissions.\r\nAccess Methodology\r\nAs part of Muddled Libra’s tactics evolution, they start by performing reconnaissance to identify administrative\r\nusers to target for their initial access when social engineering the help desk. This development was first observed\r\nlate in 2023 and we have seen activity as recent as January 2024. Muddled Libra also performs extensive research\r\nto uncover information about what applications are deployed and what CSPs an organization uses.\r\nFigure 1 illustrates the actions that fall under the MITRE ATT\u0026CK framework for reconnaissance. We will\r\ncontinue to use the framework as we discuss the tactics, techniques and procedures (TTPs) of Muddled Libra.\r\nFigure 1. Muddled Libra’s reconnaissance steps.\r\nMuddled Libra purposefully targets administrative users during their social engineering attacks since those users\r\nhave elevated permissions within identity providers, SaaS applications and organizations’ various CSP\r\nenvironments. After initial access, the group exploits identity providers to perform privilege escalation, by\r\nbypassing IAM restrictions and modifying permission sets associated with users to increase their scope of access.\r\nThe Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled\r\nLibra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an\r\norganization's various CSP environments. They accessed an organization’s Okta Identity Portal through\r\ntechnology administrator accounts that the group compromised as part of their new tactic of help desk social\r\nengineering. Then they modified permissions to increase their scope of access. By modifying permission sets of\r\ncompromised users, this escalated their privileges to gain further access to SaaS applications and organization's\r\nCSP environments.\r\nMuddled Libra also added additional identity providers with impersonation privileges, which allowed them to\r\naccess additional applications while impersonating other user accounts. The Conclusion section includes\r\nrecommendations for Identity Portal hardening.\r\nAccessing SaaS Applications\r\nAfter gaining access to an environment, Muddled Libra uses the information obtained during reconnaissance to\r\nperform discovery internally to find the sign-in pages for SaaS applications. Organizations using single-sign-on\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 2 of 10\n\n(SSO) portals to manage application access (such as Okta) are of particular interest. Figure 2 maps the lateral\r\nmovement techniques used by Muddled Libra.\r\nFigure 2. Muddled Libra’s lateral movement steps.\r\nThe SSO portal of a technology administrator will have an organization’s security information and event\r\nmanagement (SIEM), endpoint detection and response (EDR) and password management system (PMS) listed.\r\nThese administration tools are all of interest to the attackers because they can execute permission modification and\r\nidentity provider configuration changes. SSO portals also allow them to quickly iterate through applications to\r\nfind those that would benefit their campaign.\r\nThe SaaS Application Exploits section below expands on this activity.\r\nAccessing an Organization’s Cloud Service Provider Environments\r\nHow attackers access organizations' different CSP environments depends on their unique configurations. The\r\nMuddled Libra group takes advantage of any authentication method to gain access to an organization's cloud\r\nnetwork, most commonly organizations’ AWS and Azure environments.\r\nSimilar to the activity we described with attackers accessing SaaS applications, if SSO is integrated to an\r\norganization’s CSP, attackers use this functionality to gain access to those CSP environments. If SSO is not\r\nconfigured, the group performs discovery across an organization's environment, to uncover CSP credentials stored\r\nin unsecured locations due to an organization's poor technology hygiene.\r\nSaaS Application Exploits\r\nWhen reviewing common SaaS application exploits, attacker activity falls under three categories:\r\nFinding relevant data\r\nLocating credentials\r\nModifying SaaS application configuration\r\nFigure 3 fits these activities under discovery in the MITRE ATT\u0026CK framework.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 3 of 10\n\nFigure 3. Muddled Libra’s discovery techniques using SaaS.\r\nDepending on the type of SaaS application, the data within the application might be more beneficial for use by\r\nthreat actors in traditional data exfiltration or for learning about a target’s environment configuration. Historically,\r\nMuddled Libra looks for data that falls under either of these classifications within any SaaS application they\r\ncompromise. They also make a large effort to search for other credentials within a SaaS application.\r\nSensitive credentials can be exposed in logs, as well as within PMS applications and SaaS applications that scan\r\nfor sensitive information. Muddled Libra methodically searches for applications that might store this type of\r\nvaluable information to then use later on in their attacks for privilege escalation and lateral movement.\r\nMicrosoft provides a wide range of services and tools that become key targets during an attack due to their high\r\nvalue to both organizations and threat actors. An example of how Muddled Libra takes advantage of a SaaS\r\napplication is how the group exploits Microsoft SharePoint.\r\nThe SharePoint platform is used by organizations to store files that document network topology, as well as what\r\ntools an organization uses and other general information. Muddled Libra targets this platform to gain a better\r\nunderstanding of the network configuration within a company and which tools they can exploit, such as remote\r\naccess tools.\r\nAs with any file storage tool, other sensitive information (such as passwords) can also get leaked from these\r\ndocuments. Also, within the Microsoft 365 (M365) suite, the group targets email boxes and other email\r\nfunctionality to gain access to sensitive data.\r\nCSP Reconnaissance and Gathering Intel\r\nA large portion of Muddled Libra’s campaigns involve gathering intelligence and data. Attackers then use this to\r\ngenerate new vectors for lateral movement within an environment. Organizations store a variety of data within\r\ntheir unique CSP environments, thus making these centralized locations a prime target for Muddled Libra. Figure\r\n4 itemizes these discovery tactics.\r\nFigure 4. Muddled Libra’s discovery techniques using AWS.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 4 of 10\n\nAWS Intel Gathering\r\nMuddled Libra targets a wide range of services within an organization’s AWS environment to gather more intel for\r\nuse later on in the attack. These services include AWS IAM, Amazon Simple Storage Service (S3) and AWS\r\nSecrets Manager.\r\nThe IAM service provides the following information:\r\nWhich users exist within the AWS account\r\nAccess keys associated with users\r\nWhat identity provider connections exist\r\nSome AWS IAM API calls that can be used for reconnaissance include:\r\nListUsers\r\nListGroups\r\nListRoles\r\nListSSHPublicKeys\r\nListServiceSpecificCredentials\r\nListSigningCertificates\r\nListOpenIDConnectProviders\r\nListSAMLProviders\r\nThe first three – listing users, groups and roles – provide the threat actors with high-level information about user\r\ngroups and what unique roles an organization has created to meet their business needs. The rest of the API calls\r\nreturn information about the following:\r\nSSH public keys\r\nService credentials\r\nCertificates\r\nVarious identity providers\r\nThe threat actor group wants to learn about these things to broaden their understanding of the environment\r\nconfiguration for the next stages of their attack. None of these API calls return sensitive information associated\r\nwith the various credentials.\r\nS3 buckets, which are an AWS object level storage service, can contain any sort of data depending on an\r\norganization. Because of this, Muddled Libra spends time listing available buckets and then reviewing bucket data\r\nmore closely depending on the relevance of the bucket names. Some reconnaissance AWS S3 API calls include\r\nListBuckets and various GetBucket* operations.\r\nSecrets Manager can store sensitive secrets, so this service is especially interesting for the group to use for lateral\r\nmovement to other applications within the environment. While native cloud credentials cannot be discovered or\r\nenumerated using cloud APIs, legacy technologies such as SQL databases running within a cloud environment\r\ntypically require credentials such as usernames and passwords. Secrets Manager is designed to store such secrets,\r\nand also has features for automatically rotating them periodically.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 5 of 10\n\nSome reconnaissance AWS Secrets Manager API calls include:\r\nListSecrets\r\nDescribeSecret\r\nGetSecretValue\r\nThe GetSecretValue event specifically returns the data stored within a secret. This helps the group move laterally\r\nto other applications if the secret contains credentials.\r\nAzure Intel Gathering\r\nTo collect sensitive data and network configuration details within Azure, Muddled Libra focuses on storage\r\naccount access keys and resource groups. Storage account access keys provide access to an Azure storage account,\r\nallowing Muddled Libra to iterate through resources such as Azure Blob Storage and Azure Files to locate the\r\nmost valuable data relevant to their attack.\r\nBoth Azure Blob and Azure Files provide organizations with unique storage offerings built for a variety of data\r\ntypes. Figure 5 highlights the group’s discovery tactics using Azure.\r\nFigure 5. Muddled Libra’s discovery techniques using Azure.\r\nAzure resource groups are logical containers used to batch resources together. By simply learning the names of the\r\nvarious resource groups, threat actors can figure out which resource groups contain the most valuable virtual\r\nmachines (VMs) that might contain sensitive data. The Figure 6 diagram shows what these resource groups\r\npotentially encompass that might be of interest to the threat actors.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 6 of 10\n\nFigure 6. Resource group with various attacker targets.\r\nCSP Data Exfiltration Techniques\r\nMuddled Libra leverages legitimate CSP services and features to more quickly and efficiently exfiltrate data.\r\nThese components exist for organizations to better manage their workloads and simplify their processes, but as\r\nwith many tools, threat actors can use those same services to accomplish their malicious goals.\r\nAWS Exfiltration Techniques\r\nWhen it comes to exfiltrating data from an organization's AWS environment, Muddled Libra targets two legitimate\r\nAWS services to quickly move data. Muddled Libra uses both the AWS DataSync and AWS Transfer services, to\r\ntransfer data from an on-premises environment to the cloud and then from the cloud to an external entity.\r\nAWS DataSync enables the transfer of data from on-premises to various AWS storage services. The AWS Transfer\r\nservice enables data transfer to and from various AWS storage services. Figure 7 highlights these exfiltration\r\ntactics.\r\nFigure 7. Muddled Libra’s exfiltration techniques using AWS.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 7 of 10\n\nBy using these services in tandem, Muddled Libra can move data very quickly out of an environment. When a\r\nnew AWS Transfer server gets created, the following AWS API events appear in the CloudTrail logs:\r\nCreateServer\r\nCreateUser\r\nAn AWS Transfer user is specifically created as part of the host creation, so the CreateUser event is associated\r\nwith transfer.amazonaws.com as the event source. To protect against this activity, organizations can use the AWS\r\nIAM Access Analyzer to gauge the permissiveness of resources and lock down credentials to follow the principle\r\nof least privilege. In addition to limiting IAM permissions, organizations can use AWS Service Control Policies\r\n(SCP) to completely block services an organization doesn’t use such as DataSync or AWS Transfer, regardless of\r\nthe permissions associated with a principal.\r\nAzure Exfiltration Techniques\r\nOne method of data exfiltration threat actors use in Azure exploits traditional VM functionality known as\r\nsnapshots to take images of hosts that contain sensitive information pertinent to Muddled Libra’s attack\r\nobjectives. Snapshots allow users to take a point-in-time image of a virtual hard disk (VHD).\r\nCSPs have restrictions in place regarding sharing snapshot resources with external entities. Muddled Libra avoids\r\nthis by creating new VMs within the compromised environment and then saving the relevant operational data from\r\nthe snapshots to the newly created hosts for staging before exfiltrating the data. Figure 8 lists these collection and\r\nexfiltration techniques.\r\nFigure 8. Muddled Libra’s collection and exfiltration techniques using Azure.\r\nOnce the data exists on the newly created VMs, threat actors can exfiltrate the data via traditional network\r\nexfiltration techniques.\r\nConclusion\r\nBy expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra’s\r\nmethodology shows the multidimensionality of cyberattacks in the modern threat landscape. The use of cloud\r\nenvironments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders.\r\nFigure 9 displays the full attack chain used by Muddled Libra when targeting SaaS applications and organizations'\r\nCSP environments.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 8 of 10\n\nFigure 9. Muddled Libra attack chain in the cloud.\r\nIdentity Portals provide a great starting point for centralizing credential management, reducing administrative\r\noverhead and improving the end-user experience, but this also makes them prime targets for attackers. These\r\nplatforms must be protected with robust and difficult-to-bypass secondary authentication factors such as hardware\r\ntokens or biometrics, and they should be closely monitored for unusual activity.\r\nTo protect CSP identities, defenders can use AWS IAM roles and Microsoft Entra Privileged Identity Management\r\n(PIM) to limit the long-term access attackers can gain, forcing attackers to reauthenticate more often. This\r\nlimitation adds another layer of complexity to the threat actor’s attack, and the reauthentication process creates\r\nmore abnormal, detectable events for defenders.\r\nDespite Muddled Libra’s constantly changing attack tactics, defenders can build better protections by\r\nunderstanding the end goal of these threat actors to then implement and improve technology protections to\r\nsafeguard environments.\r\nPalo Alto Networks Protection and Mitigation\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 9 of 10\n\nPalo Alto Networks customers are better protected from the threats discussed above through Prisma Cloud, which\r\nprovides detection, alerting and mitigation operations across several components within multicloud and hybrid\r\nenvironments.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nSource: https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nhttps://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" ], "report_names": [ "muddled-libra-evolution-to-cloud" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775791852, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39819aca78b91cdee315d46eee85d333d2698721.pdf", "text": "https://archive.orkl.eu/39819aca78b91cdee315d46eee85d333d2698721.txt", "img": "https://archive.orkl.eu/39819aca78b91cdee315d46eee85d333d2698721.jpg" } }