September 26, 2024 at 02:57AM
Cloudflare has observed an advanced threat actor using multiple cloud service providers for credential harvesting, malware delivery, and command-and-control. The actor, known as SloppyLemming, targets government, law enforcement, energy, education, telecommunications, and technology entities in South and East Asian countries. The attacks involve spear-phishing emails, malicious links, and custom-built tools for acquiring unauthorized access.
Based on the meeting notes, the key points are:
1. A threat actor named SloppyLemming, also known as Outrider Tiger and Fishing Elephant, with ties to India, has been observed using multiple cloud service providers for malicious activities such as credential harvesting, malware delivery, and command-and-control operations.
2. The activities have targeted several South and East Asian countries, including Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia, with a focus on government, law enforcement, energy, education, telecommunications, and technology entities.
3. SloppyLemming’s attack techniques include spear-phishing emails, credential harvesting pages, and the use of custom-built tools like CloudPhish to exfiltrate victim credentials.
4. The threat actor has been seen leveraging malware such as Ares RAT and WarHawk, with connections to known hacking crews like SideWinder and SideCopy.
5. SloppyLemming’s tactics involve exploiting vulnerabilities in software such as WinRAR (CVE-2023-38831) and using booby-trapped archives to achieve remote code execution.
6. Cloudflare has tracked SloppyLemming’s efforts to target Pakistani police departments, law enforcement organizations, and entities related to Pakistan’s nuclear power facility.
These are the main takeaways from the meeting notes – please let me know if you need further details or analysis on any specific aspect.