The BPO industry is facing a persistent threat from a malicious actor called Muddled Libra. This threat actor employs advanced social engineering tactics to launch repeated attacks and gain unauthorized entry into BPO systems.
Business process outsourcing (BPO) is the act of delegating specific business functions or processes to an external service provider. Frequently known as information technology-enabled services (ITES), BPO relies on the use of IT to enable and streamline outsourced operations within the contemporary business environment.
The cybersecurity company has categorized cybercrime groups using the designation "Libra," which is inspired by the constellation theme. The threat actor referred to as "Muddled Libra" received this name due to the uncertainty surrounding its utilization of the 0ktapus framework.
The intrusion set known as 0ktapus, or Scatter Swine, emerged in August 2022 and gained attention for its involvement in smishing attacks against numerous organizations. Prominent targets included Twilio and Cloudflare.
Additionally, in the same year, CrowdStrike disclosed a series of cyberattacks that targeted telecom and BPO companies, starting as early as June 2022. These attacks employed a combination of credential phishing and SIM-swapping techniques.
The incident cluster is currently under observation and referred to as Roasted 0ktapus, Scattered Spider, and UNC3944.
The group initiates their attacks by utilizing smishing and the 0ktapus phishing kit to gain initial access. These attacks typically culminate in data theft and the establishment of long-term persistence.
Another notable characteristic of their operations involves leveraging compromised infrastructure and stolen data to launch subsequent attacks on the victims' customers. In some cases, they even target the same victims repeatedly to replenish their dataset.
Unit 42, which extensively investigated multiple Muddled Libra incidents between June 2022 and early 2023, described the group as persistent, methodical, and highly adaptable in its pursuit of objectives. They swiftly adapt their attack strategies in response to obstacles encountered.
"Unit 42 decided to name Muddled Libra because of the confusing muddled landscape associated with the 0ktapus phishing kit, since the kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone doesn't necessarily classify a threat actor as what Unit 42 calls Muddled Libra," senior threat researcher Kristopher Russo reported.
Additionally, Muddled Libra demonstrates a preference for utilizing various legitimate remote management tools to maintain continuous access. They also manipulate endpoint security solutions to evade detection and exploit tactics such as MFA (multi-factor authentication) notification fatigue to pilfer credentials.