September 26, 2024 at 12:35AM
A threat actor known as “SloppyLemming,” identified as an advanced persistent threat (APT) by Crowdstrike, is conducting espionage against government and law enforcement targets in the Indian subcontinent. They utilize Cloudflare Worker cloud services and various tools in phishing attack chains for credential harvesting and email compromise, targeting sensitive organizations in multiple countries.
Based on the meeting notes, the key takeaways are:
– A threat actor named SloppyLemming, also known as Outrider Tiger by Crowdstrike, is conducting espionage against government and law enforcement targets in the Indian subcontinent.
– SloppyLemming has targeted a wide range of organizations, including government agencies, IT and telecommunications providers, construction companies, and a nuclear power facility in Pakistan.
– The group’s campaign involves the use of cloud services such as Cloudflare Workers, Discord, Dropbox, and GitHub to carry out phishing attacks that lead to credential harvesting and email compromise.
– Cloudflare Workers are being abused by SloppyLemming to run malicious scripts, including phishing and exfiltration of stolen login information through Discord webhooks.
– The threat actor is also exploiting other cloud services for malicious purposes, such as collecting Google OAuth tokens and using Dropbox URLs to deliver a remote access tool exploiting a WinRAR vulnerability.
– Blake Darché of Cloudflare emphasized the importance of having good control of network traffic and implementing zero-trust architectures to better understand and defend against such multi-platform attack chains.
These takeaways provide a clear understanding of the threat posed by SloppyLemming and the methods they are using to conduct their espionage activities, particularly through the abuse of various cloud services.