A recent cybersecurity report has unveiled that a threat actor, identified as “SloppyLemming” and previously tracked by Crowdstrike as Outrider Tiger, has been utilizing Cloudflare Worker cloud services and a variety of other tools to conduct espionage activities against government and law enforcement entities in the Indian subcontinent region. This sophisticated cyber espionage campaign has targeted a wide range of sensitive organizations, including government agencies, IT and telecommunications providers, construction companies, and even Pakistan’s lone nuclear power facility. Additionally, Pakistani police departments and law enforcement agencies were specifically singled out by SloppyLemming, with further attacks extending to the military and government bodies of Bangladesh and Sri Lanka, as well as entities within China’s energy and academic sectors. There have also been indications of potential targeting in and around Australia’s capital city, Canberra, raising concerns about the extensive reach of this threat actor.
The intricacies of the campaign orchestrated by SloppyLemming have been detailed in a recent blog post by Cloudflare, shedding light on the utilization of platforms such as Discord, Dropbox, GitHub, and, notably, Cloudflare’s own Workers platform in phishing attack chains aimed at credential harvesting and email compromise. The attackers employed spear-phishing emails as the initial entry point, often disguising malicious activities as legitimate communications, such as fake maintenance alerts from government entities. However, what sets SloppyLemming apart is its abuse of Cloudflare’s Workers service to further their malicious objectives.
Cloudflare Workers, a serverless computing platform that enables the execution of scripts on web traffic passing through Cloudflare’s global servers, were manipulated by SloppyLemming to carry out their operations. Similar to other legitimate services with multifunctional capabilities, Cloudflare Workers can be exploited for nefarious purposes, as demonstrated by previous incidents involving Korean hackers using Workers for SEO spam and a threat group leveraging it for a backdoor communication technique named “BlackWater.” Amidst these alarming trends, SloppyLemming leveraged a custom tool called “CloudPhish” to log credentials and exfiltrate sensitive data from targeted organizations. This tool allowed threat actors to create malicious web pages resembling legitimate login portals, enabling them to steal login information from unsuspecting victims.
Furthermore, SloppyLemming’s tactics extended to the abuse of Google OAuth tokens through a malicious Cloudflare Worker and the exploitation of a critical vulnerability in WinRAR versions prior to 6.23, identified as CVE-2023-38831. By redirecting victims to a Dropbox URL containing a malicious RAR file exploiting this vulnerability, the threat actors were able to deploy a remote access tool (RAT) and continue their malicious activities. The complexity and magnitude of SloppyLemming’s attack chains across multiple cloud services underscore the challenges faced by organizations in defending against such sophisticated threats.
Blake Darché, the head of Cloudforce One at Cloudflare, emphasized the importance of implementing robust network security measures, such as zero-trust architectures, to mitigate the risks posed by threats like SloppyLemming. He highlighted the need for organizations to closely monitor their network traffic across various platforms, including DNS, email, and web traffic, to gain a comprehensive understanding of potential threats. As cyber adversaries continue to exploit cloud services and legitimate tools for malicious purposes, proactive cybersecurity strategies and heightened vigilance are essential in safeguarding sensitive data and thwarting espionage attempts.