Global Business Defends Against Multiphased Muddled Libra Cyberattack

Unit 42® was called in to investigate a complex attack involving social engineering, exploiting security tools and data theft.


To identify, contain, and evict threat actor


To identify new TTPs of emerging threat actor, helping contain future incidents faster


From Cortex XDR® blocking a second brute force attack to Unit 42 MDR team responding and recommending defensive measures

The Client

Global business process outsourcing company

The Challenge

The client was the target of a sophisticated cyberattack executed by Muddled Libra. Five attacks within a one-week period demonstrated the threat actor’s ability to adapt and find new pathways into the network, including using the victim’s own security tools for lateral movement and further compromise. Unit 42 was brought in to:

  • Investigate and respond to multiple attack attempts.
  • Contain and remediate, emphasizing a holistic security approach.
  • Leverage deep knowledge of the threat actor to implement robust security measures.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes


Assessed the environments to identify signs of unauthorized access and suspicious activities to determine the scope and impact of the attacks.


Unit 42 conducted a broad investigation and gathered evidence to quickly identify impacted systems and accounts.


Advised the client to secure compromised accounts and systems, begin Active Directory reconstruction, immediately isolate affected systems, change passwords and harden firewalls.


Priority was to restore affected systems to a secure state, apply patches and harden network vulnerabilities.


The client worked with Unit 42 to apply lessons learned to drive ongoing improvements to their security practices, implementing awareness training and conducting regular security assessments.

First trigger point






Scroll right

Resolution Timeline






Attack 1

Identified initial signs of unauthorized access and suspicious activities and assessed the scope and impact of the intrusion.

Investigated digital evidence to identify systems and accounts involved.

Secured compromised accounts, isolated compromised systems, began Active Directory reconstruction and firewall hardening.

Restored affected systems to a secure state, removing any malicious presence and hardening vulnerabilities.

Attack 2

Performed continuous monitoring for unauthorized activities, assessing extent of lateral movement and reconnaissance.

Further investigation to identify tools and techniques used by the threat actor.

Implemented additional security measures to mitigate risks, including blocking access to specific tools and updating security policies.

Identified exfiltrated data, restored affected systems and identified and remediated vulnerabilities.

Attack 3

Assessed impact of unauthorized access attempts into a third-party virtualized domain, evaluating potential risks and exposure.

Further investigation to determine the extent of unauthorized access and potential data exfiltration.

Secured third-party domain, implementing stronger access controls and conducting security assessments.

Began identifying exfiltrated data and restoring third-party domain to a secure state, identifying and remediating vulnerabilities.

Strengthened security posture of third-party domain, implementing additional security controls and conducting regular audits.

Attack 4

Assessed impact and evaluated potential exposure of unauthorized access to file share and email operations.

Further investigation to identify accounts involved and extent of data accessed or manipulated.

Secured affected accounts and systems, resetting passwords and implementing additional monitoring and access controls.

Recovered compromised data and restored affected accounts and systems, identifying and remediating vulnerabilities.

Enhanced data protection measures, implementing data loss prevention controls and strengthening email security protocols.

Attack 5

Assessed overall impact of network intrusion and effectiveness of security measures, evaluating readiness to prevent future incidents.

Identified any remaining vulnerabilities or potential areas of improvement, reviewing IR process and security policies.

Implemented additional security controls, conducted penetration testing and enhanced monitoring capabilities.

Continuous monitoring and proactive threat hunting to ensure systems were free from unauthorized access.

Used lessons learned to drive long-term improvements in security practices, conducted regular security assessments and training.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

Backed by the Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.