‘SloppyLemming’ APT Targets Government and Law Enforcement Agencies via Cloudflare

September 26, 2024

The Advanced Persistent Threat (APT) group 'SloppyLemming' is exploiting Cloudflare Worker cloud services and other tools to conduct espionage against government and law enforcement targets in and around the Indian subcontinent. The group, also known as Outrider Tiger, has been previously linked to India by cybersecurity firm Crowdstrike. The group's targets include government agencies such as legislative bodies, foreign affairs, and defense, as well as IT and telecommunications providers, construction companies, and Pakistan's only nuclear power facility. The group has also targeted Pakistani police departments and other law enforcement agencies, and its attacks have extended to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China's energy and academic sectors. There are also indications of potential targeting in or around Australia's capital, Canberra.

The group's campaign, detailed in a new blog post from Cloudflare, uses Discord, Dropbox, GitHub, and most notably Cloudflare's own 'Workers' platform in phishing attack chains that result in credential harvesting and email compromise. The group's attacks typically start with a spear-phishing email, such as a fake maintenance alert from a police station's IT department. The group then abuses the Cloudflare's Workers service in the second step of the attack. Cloudflare Workers are a serverless computing platform used for running scripts that operate on web traffic flowing through Cloudflare's global servers. They can be utilized for malicious purposes, and have been used in the past for SEO spam, interfacing with command-and-control (C2) servers, and facilitating cryptocurrency scams.

'SloppyLemming' uses a custom-built tool called 'CloudPhish' to handle credential logging logic and exfiltration. The tool is used to define targets and intended channels for exfiltration, scrape HTML content associated with the target's webmail login page, and create a malicious copycat. The target's login information is then stolen via a Discord webhook. The group has also used a malicious Worker to collect Google OAuth tokens in some cases, and another Worker to redirect to a Dropbox URL containing a RAR file designed to exploit CVE-2023-38831, a high severity issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of the exploit chain, a remote access tool (RAT) is used that engages several more Workers.

Blake Darché, head of Cloudforce One at Cloudflare, notes that threat actors are generally trying to take advantage of companies by using different services from different companies, so victims can't coordinate what they're doing. He suggests implementing zero-trust architectures to understand what's going in and out of the network, through all the different peripheries: DNS traffic, email traffic, web traffic, understanding it in totality. He believes many organizations are struggling in this area.

Related News

• Head Mare Hacktivist Group Targets Russia and Belarus Using WinRAR Vulnerability
• Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine
• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
• Bumblebee Malware Resurfaces after Four Months, Targets US Organizations

Latest News

• Critical Ivanti vTM Authentication Bypass Vulnerability Now Actively Exploited
• Twelve Hacktivist Group Resurfaces, Targets Russian Entities
• China's 'Earth Baxia' Cyber Espionage Group Targets APAC via GeoServer Exploitation
• Iranian APT UNC1860, Linked to MOIS, Plays Key Role in Cyber Intrusions in Middle East
• Ivanti Cloud Services Appliance Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog