Tag: Network Threats

How ‘Muddled Libra’ Cybercrime Group Exploits BPO Sector with Sophisticated Social Engineering Techniques

The BPO sector is currently under attack by a cybercrime group known as Muddled Libra, which employs sophisticated social engineering tactics to gain unauthorized access. These persistent attacks have raised concerns within the cybersecurity community.

Palo Alto Networks Unit 42, in a technical report, revealed that the emergence of the 0ktapus phishing kit in late 2022 introduced a new attack style associated with Muddled Libra. The kit provided a ready-made hosting framework and bundled templates, leading to its widespread adoption. The name “Libra” is used by the cybersecurity company to designate cybercrime groups, while the term “muddled” reflects the uncertainty surrounding the utilization of the 0ktapus framework.

The 0ktapus framework, also referred to as Scatter Swine, was initially discovered in August 2022 in connection with smishing attacks on numerous organizations, including Twilio and Cloudflare. CrowdStrike later disclosed a series of cyber assaults targeting telecom and BPO companies since June 2022. These attacks involved a combination of credential phishing and SIM swapping, and the cluster responsible for them is tracked under different names, such as Roasted 0ktapus, Scattered Spider, and UNC3944.

Kristopher Russo, a senior threat researcher, explained that Muddled Libra was named due to the perplexing landscape surrounding the 0ktapus phishing kit. He noted that while many threat actors have incorporated the kit into their arsenal, merely using it does not classify them as part of Muddled Libra, according to Unit 42’s classification.

The attacks initiated by this e-crime group employ smishing and the 0ktapus phishing kit to gain initial access. They typically culminate in data theft and the establishment of long-term persistence. Another notable characteristic is the group’s utilization of compromised infrastructure and stolen data to carry out subsequent attacks on the customers of their victims. In some instances, they even target the same victims repeatedly to replenish their dataset.

Unit 42, after investigating several Muddled Libra incidents from June 2022 to early 2023, described the group as relentless, methodical, and highly adaptable in their attack strategies. They swiftly adjust their tactics when faced with obstacles. Alongside using a variety of legitimate remote management tools to maintain persistent access, Muddled Libra tamper with endpoint security solutions to evade detection. They also exploit the fatigue caused by multi-factor authentication (MFA) notifications to steal credentials.

Furthermore, the threat actors have been observed gathering lists of employees, their job roles, and cellular phone numbers to execute smishing and prompt bombing attacks. If this approach fails, Muddled Libra actors resort to contacting the organization’s help desk, pretending to be the victims, in order to enroll a new MFA device under their control.

The researchers emphasized the notable success of Muddled Libra’s social engineering tactics. They have demonstrated a remarkable level of confidence when interacting with help desk personnel and other employees over the phone, successfully persuading them to engage in unsafe actions.

The attacks also involve the use of credential-stealing tools like Mimikatz and Raccoon Stealer to escalate privileges. Additionally, various scanners are employed for network discovery, enabling the extraction of data from platforms such as Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging systems.

Unit 42 speculated that the creators of the 0ktapus phishing kit do not possess the same advanced capabilities as Muddled Libra, and despite some similarities in their tradecraft, there is no definitive connection between the actor and UNC3944.

what is arkime (moloch)?

Arkime, formerly known as Moloch, is a powerful tool for full packet capture and analysis. It offers a wide range of features that make it a must-have tool for network security professionals. Some of the main features of Arkime include:

  1. Packet capture: Arkime can capture all network traffic passing through a particular network interface, allowing security analysts to analyze the traffic and identify potential threats.
  2. Indexing and search: Arkime uses Elasticsearch to store and index captured packets, which makes it easy for analysts to search for specific packets or packets containing specific patterns or keywords.
  3. Web-based user interface: Arkime includes a powerful web-based user interface that allows analysts to search and analyze captured traffic, as well as visualize network traffic data in real-time. The user interface is highly customizable, and analysts can create custom dashboards and visualizations to meet their specific needs.
  4. Advanced analysis capabilities: Arkime can perform advanced network traffic analysis, including protocol decoding, session reassembly, and file carving. This makes it possible for analysts to detect and investigate a wide range of security threats, including malware, phishing attacks, and data exfiltration.
  5. Support for multiple file formats: Arkime can capture and analyze a wide range of network protocols, including TCP, UDP, HTTP, and SSL. It also supports a variety of file formats, including PCAP, JSON, and ASCII.
  6. Scalability: Arkime is designed to be highly scalable, and it can be deployed in large-scale environments. It can handle large amounts of network traffic data, making it suitable for use in high-bandwidth environments.

Overall, Arkime is a comprehensive tool that offers a wide range of features for full packet capture and analysis. Its advanced analysis capabilities, support for multiple file formats, and scalability make it a must-have tool for any organization that needs to monitor and secure its network.

Learn how to identify and prevent malware attacks with Suricata intrusion detection system rules

How To Detect Malware With Suricata Rules.

Suricata is a highly efficient, open-source, and multi-platform network security engine that incorporates advanced Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) technologies. Developed and maintained by the Open Information Security Foundation (OISF) community since 2009, Suricata offers a comprehensive solution for detecting and preventing network security threats.

As we already explained in this article, an IDS is a passive system that is responsible for monitoring the behavior of a network to detect and report on possible unauthorized intrusions, while an IPS is an active system that works as an extension of the IDS and that , in addition to sending alerts on detections, it can also block malicious activity within the network – such as brute force attacks, DDoS, or attacks that seek to exploit vulnerabilities – and create a log with the intrusion. All this from the traffic, the file signatures, and the heuristic analysis of the flow. Additionally, IPS allows adding policies and restricting access to users and / or even applications.

That said, the most common uses for Suricata are related to scanning network traffic and analyzing traffic logs within a sandbox or sandbox environment (such as running malware). However, we can also use this tool for creating rules in order to classify malware.

Testing Meerkat

Next, we are going to see a simple example of how to use Suricata for malware classification.

Suppose we have a machine destined to perform dynamic analysis of malware samples, we could add different Suricata rules to be able to classify the type of malware that is running according to the traffic.

In this case, while a sample of the Trickbot banking Trojan is running on the network , a .pcap file is generated with information on the behavior of the traffic.

Through the network flow generated by the malware and knowing its behavior, we could create some rules in Suricata in the /etc/suricata/

rules folder :

In this Image you can see the list of some rules that come by default when installing Suricata.

Before proceeding with the generation of the rule to detect Trickbot, we will see a short description of the basic fields to generate rules in Suricata:

Action HeaderRule Options
  • Action: corresponds to the action (drop, alert, etc.) that Suricata will perform when the rule is identified in the network flow.
  • Header: this section corresponds to the specific network flow to be analyzed. From origin to destination. With the word “any” we can tell Meerkat that all ports will be analyzed.
  • Rule: rule to implement to detect malware in our case. Within this field there are keywords that help us create our rule:
    • Msg: alert message that Suricata will issue.
    • flow: network flow.
    • Content: contains the character string to be searched within the traffic.
    • Reference: contains references, in this case we put a verification MD5 hash of a Trickbot sample.
    • Sid: ID of the identified rule.
    • Rev: version of the rule.
    • Classtype: provides information on the classification of rules and alerts.

Taking as an example the rule for Trickbot malware, let’s proceed to add the Suricata rule in the / etc / suricata / rules directory for its detection: We save our rule for Trickbot taken from the aforementioned repository

Now we go on to analyze the traffic with Suricata by executing the command:
sudo suricata -c /etc/suricata/suricata.yaml -r [file.pcap]:

The previous statement generates four files:

The eve.json file is the file that interests us the most at the moment, since it is the output file that provides information about alerts, anomalies, metadata, and even information about specific files and logs:

If we search for the name of the message  Trickbot  with the command:

grep “Trickbot” eve.json

We will see that our rule was able to detect the malicious file as Trickbot.

To close this proof of concept it is important to mention that Suricata is a very useful tool to perform Threat Hunting . It is capable of identifying network protocols (TPC, UDP, HTTP, ICMP, etc.) enabling real-time control of the traffic generated on our network and controlling the presence of possible malicious codes. The latter can be done through MD5 checks, as we saw in the Trickbot rule.

On the other hand, we also recommend reviewing the Suricata Open Source repository of Emerging Threats rules , where you can find rules that detect new threats.
install-Suricata-in-Linux

How to install Suricata in Linux.

Suricata is an open-source network intrusion detection and prevention system (IDS/IPS) that can be used to detect and prevent cyber attacks on a computer network. It uses a variety of techniques, including signature-based detection and protocol analysis, to identify and block malicious traffic.

Installing Suricata on a Linux operating system is a multi-step process that involves the following steps:

1. Verify that your Linux system meets the minimum requirements for running Suricata. This includes checking that you have a supported version of Linux and that you have the necessary dependencies installed.

A supported version of Linux: Suricata is compatible with various Linux distributions such as Ubuntu, Debian, Fedora, and CentOS. You can check your Linux version by running the command.
  • GCC compiler: Suricata requires a C compiler to build the source code. You can check if GCC is installed on your system by running the command
"gcc --version"
  • Libpcap library: Suricata uses the libpcap library to capture network traffic. You can check if libpcap is installed on your system by running the command
"ldconfig -p | grep libpcap"
  • libyaml library: Suricata uses the libyaml library for parsing YAML files. You can check if libyaml is installed on your system by running the command
"ldconfig -p | grep libyaml"
  • libjansson library: Suricata uses the libjansson library for JSON data handling. You can check if libjansson is installed on your system by running the command
"ldconfig -p | grep libjansson"
  • libmagic library: Suricata uses the libmagic library to detect file types. You can check if libmagic is installed on your system by running the command
"ldconfig -p | grep libmagic"

Please note that these commands are for checking the dependencies in Ubuntu and Debian based distributions. In other distributions, the package manager commands may be different, for example, in Red Hat-based systems, you should use yum instead of apt-get.

2. Download the latest version of Suricata from the official website (https://suricata-ids.org/download/)

3.Extract the downloaded package using the command

tar -xvzf suricata-version.tar.gz

4. Change directory to the extracted package by running

cd suricata-version

5. Run the command

"./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var"

to configure the installation.

6. Run the command to build the source code.

"make"

7. Run the command to install Suricata.

sudo make install-full

8. Configure Suricata by editing the configuration file located at /etc/suricata/suricata.yaml.

9. Start Suricata by running the command

(assuming that the interface you want to listen on is eth0)

"suricata -c /etc/suricata/suricata.yaml -i eth0" 

10. Verify that Suricata is running correctly by checking the output of the command

sudo suricata -i eth0 --list-runmode-helpers

It’s always recommended to check the official documentation of Suricata for the specific version that you are installing and to be aware of the dependencies that your system needs to have installed before proceeding with the installation. It’s always recommended to consult the official documentation of Suricata for the specific version that you are installing and to be aware of the dependencies that your system needs to have installed.

Powered by WordPress & Theme by Anders Norén