Bling Libra Shifts Focus to Extortion in Cloud-Based Attacks

 

It was observed during an incident response engagement handled by Unit 42, that the threat actor group Bling Libra (which was responsible for distributing ShinyHunters ransomware) had shifted from extortion to extortion of victims rather than its traditional tactic of selling/publishing stolen data in an attempt to increase their profits. 
During this engagement, it was also demonstrated how the group was able to acquire legitimate credentials, which were accessed from public repositories, to gain initial access to an organization’s Amazon Web Services (AWS) environment through its public username and password.

The compromised credentials had limited impact due to the limited permissions associated with them, but Bling Libra managed to infiltrate the organization’s AWS environment and conduct reconnaissance operations on it during this time. 

The threat actor group used various tools for gaining information and accessing S3 bucket configurations, interacting with S3 objects, as well as deleting files from the service using tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP.

As a result of previous jobs with high-profile data breaches, including the Microsoft GitHub and Tokopedia incidents in 2020, Bling Libra has developed a special part of their business model that enables them to monetize stolen data through underground marketplaces. 

There has, however, been a signific

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: