The Bling Libra group, known as the creator of the Schinyhunters-Monitoring Program, changed its work methods by switching from the sale of stolen data for extortion. This became known after the incident in which the specialists of Palo Alto Networks revealed the new tactics of attackers.
In the considered campaign, using legitimate accounting data found in public repositories, Bling Libra gained access to the cloud resources of one of the companies on the Amazon Web Services (AWS) platform. Although the rights related to these accounts were limited, the group managed to penetrate the system and conduct reconnaissance operations. To access the data, attackers used tools such as S3 Browser and WinScp.
The peculiarity of these tools for security researchers is that they generate certain events in the AWS logs, which allows you to distinguish between actions committed by attackers from automatic operations. This discovery helps IB specialists to more accurately monitor activity in cloud media.
For the first time, Bling Libra appeared in 2020 and since then made a number of large attacks, including Microsoft Github and Tokopedia data leaks. The group traditionally used legitimate accounting data to obtain access to databases with personal information, which was then sold in underground markets. However, in 2024 they changed the tactics, starting to blackmail their victims, demanding a ransom for the safety of data.
After penetrating the system, attackers conduct careful reconnaissance, determining the resources available to them, and after a while they return to make an attack. In the course of the Palo Alto Networks, the campaigns, hackers deleted part of the data and created new S3-bakers, probably in order to mock the organization. Having completed the attack, Bling Libra sent a letter to the victim demanding a ransom.
This case is another reminder of the importance of regular security settings and restrictions on access rights in cloud systems. Palo Alto Networks recommends using reliable analysis and monitoring tools to minimize risks and prevent such attacks.