August 28, 2024 at 05:13AM
The threat group Bling Libra, known for the Ticketmaster breach, has evolved its tactics from data theft to extortion-based attacks targeting cloud environments. Using stolen credentials, they infiltrate AWS, exfiltrate data, and demand ransom. Weak authentication practices leave organizations vulnerable, emphasizing the need for multifactor authentication and secure IAM solutions in cloud security.
From the meeting notes, it is evident that the threat group “Bling Libra” has evolved its tactics beyond data theft to include extortion-based attacks targeting cloud environments with legitimate credentials. They have been acquiring legitimate credentials to access database infrastructure and steal personally identifiable information.
In a recent attack investigated by Unit 42, Bling Libra targeted an organization’s Amazon Web Services (AWS) environment using stolen credentials, infiltrating the AWS environment and conducting reconnaissance operations. The attackers used various tools to gather information on S3 bucket configurations, access S3 objects, and delete data. They exfiltrated data and left an extortion note, demanding ransom payment within a week.
It’s worth noting that the group has been linked to several notable data breaches, including the Ticketmaster breach and an attack on Ticketek Entertainment Group (TEG). Bling Libra often exploits vulnerabilities in third-party cloud providers and takes advantage of weak authentication practices, such as the lack of multifactor authentication (MFA) and overly permissive credentials.
Unit 42 recommends that organizations prioritize the implementation of multifactor authentication (MFA) and employ a secure IAM solution to restrict user permissions, emphasizing the importance of robust cybersecurity practices, proactive security measures, and monitoring critical log sources to safeguard their cloud assets and mitigate the impact of cyber threats.