Threat Group 'Bling Libra' Pivots to Extortion for Cloud Attacks

The threat group behind the infamous Ticketmaster breach earlier this summer is evolving its tactics to go beyond data theft and subsequent sale of stolen data. It's now embracing extortion-based attacks as it continues to target cloud environments with legitimate credentials.

Researchers at Palo Alto Networks' Unit 42 have revealed new details about the operations of the group it calls "Bling Libra" (aka ShinyHunters), which is perhaps best known for stealing an impressive 560 million customer records from events giant Ticketmaster and putting them up for sale on BreachForums earlier this year.

Since then, Bling Libra has continued to target cloud environments with a consistent attack pattern, according to a recent blog post by Unit 42's Margaret Zimmermann and Chandni Vaya. Since its inception in 2020, the group has been acquiring legitimate credentials in order to target database infrastructure and steal personally identifiable information (PII).

However, while a recent shift in tactics uses the same initial-access routine, Bling Libra now has pivoted to the double-extortion tactics typically associated with ransomware gangs — first stealing data from victims, then threatening to publish it online if a ransom isn't paid.

Targeting AWS for Extortion

In a recent attack investigated by Unit 42, the group targeted an organization's Amazon Web Services (AWS) environment by using stolen credentials to gain access and then proceeded to poke around on the network, the researchers said.

"While the permissions associated with the compromised credentials limited the impact of the breach, Bling Libra infiltrated the organization’s AWS environment and conducted reconnaissance operations," they wrote in the post. The group used tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP to gather information on S3 bucket configurations, access S3 objects, and delete data.

Bling Libra lifted AWS credentials from a sensitive file exposed on the Internet that actually contained a variety of credentials, the researchers noted. However, the group "specifically targeted the exposed AWS access key belonging to an identity and access management (IAM) user and a handful of other exposed credentials," they wrote.

The credentials allowed the threat actors to gain access to the AWS account where the IAM user resided, and perform AWS API calls to interact with the S3 bucket in the context of with the AmazonS3FullAccess policy, in which all user permissions are allowed.

In this case, however, it was enough for attackers to lurk on the network for about a month before launching an attack that exfiltrated data and deleted it from the environment, leaving behind an extortion note that gave the organization one week to pay a ransom. Bling Libra also created new S3 buckets in their wake, presumably "to mock the organization about the attack," the researchers said.

Credentials Remain a Security Hole

The Ticketmaster attack that came to light in June was notable for the sheer amount of data Bling Libra was able to procure in the attack, with the group claiming at the time that the more than half-million records stolen included PII such as names, emails, addresses, and partial payment-card details.

Later that month, the group also claimed responsibility for a separate attack on a similar company in Australia, Ticketek Entertainment Group (TEG); like Ticketmaster, that attack occurred in May. Indeed, the group has been tied to several notable data breaches affecting tens of millions of data records.

In many cases, Bling Libra attacks its ultimate targets through a third-party cloud provider. In the case of Ticketmaster and others, that provider was Snowflake, and attackers used credentials of legitimate cloud accounts that were vulnerable because they did not have multifactor authentication (MFA) activated.

Indeed, lack of MFA and "a concerning trend of overly permissive credentials" are common themes in not only how Bling Libra and other attackers gain access to cloud environments, the researchers wrote. Since more and more organizations are moving critical operations to the cloud, defenders need to resolve basic issues around authentication and permissions to even have a hope of avoiding compromise by savvy actors, they said.

Unit 42 recommended that organizations always use MFA wherever possible to avoid the initial-access scenario that Bling Libra exploited in the attack. Employing a secure IAM solution that restricts user permissions to only what processes and assets they need (regardless of the individual IAM policies within each account) also could have prevented attackers gaining access to sensitive data, the researchers said.

"As businesses increasingly embrace cloud technologies, the threat posed by groups like Bling Libra underscores the importance of robust cybersecurity practices," they wrote. "By implementing proactive security measures and monitoring critical log sources, organizations can effectively safeguard their cloud assets and mitigate the impact of cyberthreats."