September 25, 2024 at 08:48AM
A threat actor called SloppyLemming, likely based in India, is using cloud services to target energy, defense, government, telecom, and tech entities in Pakistan and other South and East Asian countries. Cloudflare reports the group’s operations align with Outrider Tiger, known for using Sliver and Cobalt Strike in attacks. SloppyLemming focuses on credential harvesting and malicious email delivery. It has been observed redirecting users to a file hosted on Dropbox to exploit a WinRAR vulnerability and delivering spear-phishing emails. Cloudflare has identified and mitigated 13 Workers associated with the threat actor, and analysis suggests possible intentions to expand operations to Australia or other countries.
Key Takeaways from Meeting Notes:
– A threat actor known as SloppyLemming, likely operating out of India, has been conducting cyberattacks against various entities in Pakistan and other South and East Asian countries since 2022.
– The group’s operations align with Outrider Tiger, a threat actor linked to India, known for using adversary emulation frameworks such as Sliver and Cobalt Strike in its attacks.
– The threat actor heavily relies on credential harvesting, phishing emails, and malicious tools like CloudPhish and Cloudflare Workers to gain access to targeted email accounts and exfiltrate data.
– SloppyLemming has targeted government and military organizations in Sri Lanka and Bangladesh, as well as energy and academic sector entities in China, in addition to its primary focus on Pakistan.
– Evidence suggests the threat actor has attempted to expand its operations to other countries, including Australia.
– The group has been observed using various methods such as exploiting vulnerabilities in WinRAR, using malicious PDF files, and delivering spear-phishing emails to carry out its attacks.
– Analysis by Cloudflare has uncovered multiple command-and-control (C&C) domains used by the threat actor, indicating a sophisticated and wide-reaching operation.
These key takeaways provide a clear understanding of the activities and methods employed by the threat actor, highlighting the areas of focus and potential future targets.