Headline
'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks
Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?
Source: National Picture Library via Alamy Stock Photo
A threat actor is leveraging Cloudflare Worker cloud services and other tools to perform espionage against government and law enforcement targets in and around the Indian subcontinent.
“SloppyLemming” is an advanced persistent threat (APT) that Crowdstrike (tracking it as Outrider Tiger) has previously linked to India. That attribution rings consistent with the group’s latest effort to steal valuable intelligence from a wide range of sensitive organizations in countries hugging India’s borders.
Among its victims: government agencies — legislative bodies, foreign affairs, defense — IT and telecommunications providers, construction companies, and Pakistan’s sole nuclear power facility. Pakistani police departments and other law enforcement came under particular fire, but SloppyLemming’s attacks also spread to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China’s energy and academic sectors, and there have been hints of potential targeting in or around Australia’s capital, Canberra.
The campaign, described in a new blog post from Cloudflare, employs Discord, Dropbox, GitHub, and most notably Cloudflare’s own “Workers” platform together in phishing attack chains that end in credential harvesting and email compromise.
Hackers Using Cloudflare Workers
SloppyLemming attacks generally begin with a spear-phishing email — say, a fake maintenance alert from a police station’s IT department. It distinguishes itself more in step two when it abuses Cloudflare’s Workers service.
Cloudflare Workers are a serverless computing platform for running scripts that operate on Web traffic flowing through Cloudflare’s global servers. They’re essentially chunks of JavaScript that intercept requests made to a user’s website in transit — before they reach the user’s origin server and apply some sort of function to them, for example, redirecting links or adding security headers.
Like other flexible, multifunctional legitimate services, Cloudflare Workers can also be abused for malicious ends. In 2020, Korean hackers used Workers to perform SEO spam, and a backdoor called “BlackWater” used it to interface with its command-and-control (C2) server; the following year, attackers used it to facilitate a cryptocurrency scam.
SloppyLemming uses a custom-built tool called “CloudPhish” to handle credential logging logic and exfiltration. CloudPhish users first define their targets, and their intended channel for exfiltration. Then the program scrapes the HTML content associated with the target’s webmail login page, and creates a malicious copycat with it. When the target enters their login information, it’s stolen via a Discord webhook.
Abusing Cloud Services
SloppyLemming has other tricks up its sleeve, too. In limited cases, it used a malicious Worker to collect Google OAuth tokens.
Another Worker was used to redirect to a Dropbox URL, where lay a RAR file designed to exploit CVE-2023-38831, a “high” severity, 7.8 out of 10 CVSS-rated issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of this Dropbox-heavy exploit chain was a remote access tool (RAT) that engaged several more Workers.
“They use at least three, or four, or five different cloud tools,” notes Blake Darché, head of Cloudforce One at Cloudflare. “Threat actors generally are trying to take advantage of companies by using different services from different companies, so [victims] can’t coordinate what they’re doing.”
To make sense of attack chains that spread across so many platforms, he says, “You’ve got to have good control of your network, and implement zero-trust architectures so you understand what’s going in and out of your network, through all the different peripheries: DNS traffic, email traffic, Web traffic, understanding it in totality. I think a lot of organizations really struggle in this area.”
About the Author
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.
Related news
By Deeba Ahmed Group-IB Report Warns of Evolving Cyber Threats Including AI and macOS Vulnerabilities and Ransomware Attacks. This is a post from HackRead.com Read the original post: Report Uncovers Massive Sale of Compromised ChatGPT Credentials
The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan
By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as
A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. “Visiting the link will download a ZIP archive containing three JPG images (
A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files.