Analysis Summary

A threat actor is conducting espionage on targets in the Indian subcontinent's government and law enforcement by using Cloudflare Worker cloud services and additional tools.

An advanced persistent threat (APT) group known as "SloppyLemming" has already been connected to India by researchers (tracking it as Outrider Tiger). This attribution is in line with the group's most recent attempt to pilfer sensitive information from several vulnerable businesses in nations bordering India.

Government organizations including legislative bodies, defense, foreign affairs, and IT and telecommunications corporations, as well as Pakistan's only nuclear power plant, were among its victims. SloppyLemming's attacks targeted Pakistani police departments and other law enforcement agencies in particular, but they also affected the governments and militaries of Bangladesh and Sri Lanka, as well as academic and energy-related organizations in China. There have also been indications of possible targeting in and around Canberra, the capital of Australia.

According to a recent blog post, the campaign uses GitHub, Dropbox, Discord, and most significantly, Cloudflare's own "Workers" platform in conjunction with phishing attack chains culminating in email compromise and credential harvesting. SloppyLemming attacks typically start as spear-phishing emails, such as those posing as maintenance alerts from the IT department of a police station. In step two, they differentiate themselves further by abusing Cloudflare's Workers service.

A serverless computing platform called Cloudflare Workers runs scripts on Web traffic that passes through Cloudflare's worldwide servers. They are essentially sections of JavaScript that intercept requests made to a user's website while they are in transit, applying various functions to them (such as adding security headers or redirecting links) before they reach the user's origin server. Cloudflare Workers are versatile, multipurpose legitimate services that can also be misused for nefarious purposes. A backdoor known as "BlackWater" used Workers to communicate with its command-and-control (C2) server, and in 2020, Korean threat actors utilized it for SEO spam. The next year, attackers exploited it to enable a bitcoin scam.

Credential logging logic and exfiltration are handled by SloppyLemming using a specially designed tool called "CloudPhish". Before exfiltration, users of CloudPhish specify their targets and the channel they want to use. After that, the software uses the HTML content that is linked to the target's webmail login page to scrape and create a malicious copycat. Through the use of a Discord webhook, the target's login credentials are stolen when they enter them.

There are further tricks in SloppyLemming's bag. In certain instances, it collected Google OAuth tokens by using a rogue Worker. The RAR file intended to exploit CVE-2023-38831, a high severity, 7.8 out of 10 CVSS-rated vulnerability in WinRAR versions earlier than 6.23, was located on a Dropbox URL, which was redirected to by another Worker. A Russian threat group has leveraged the same vulnerability against civilians of Ukraine. A remote access tool (RAT) that used many Workers was after this exploit chain that was heavily reliant on Dropbox.

The majority of threat actors try to exploit businesses by leveraging disparate services from different vendors, making it impossible for victims to coordinate their actions. They use a minimum of three, four, or five different cloud tools. A lot of organizations struggle with understanding what's going in and out of their networks through all the different peripheries: DNS traffic, email traffic, Web traffic, and understanding it in its entirety. This is because understanding attack chains that spread across so many platforms requires having good control over their network and implementing zero-trust architectures.

Impact

• Sensitive Information Theft
• Cyber Espionage
• Credential Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• jammycanonicalupdates.cloud
• adobefileshare.com
• 168-gov.info
• updpcn.online
• cflayerprotection.com
• cloudlflares.com
• openkm.paknavy-pk.org
• dawn.apl-org.online
• acrobat.paknavy-pk.org
• paknavy-pk.org

MD5

• fa40357daaa8ed8e73eeef25f0f478ac
• e2a32e7d772a9a4eeccee9c71ec3a6d4

SHA-256

• ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d
• 82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211

SHA-1

• bc490c61ce87efc0faf93dd4160219ef303e3e1d
• b53de85852479ea2a772bd3407b9e4d38eb1e1e7

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.