A sophisticated threat actor known as “SloppyLemming” has been using Cloudflare’s cloud services to carry out a massive espionage campaign targeting government agencies, law enforcement departments, and sensitive organizations in the Indian subcontinent, Bangladesh, Sri Lanka, China, and potentially Australia.
The group leverages Cloudflare Worker platform, Discord, Dropbox, GitHub, and phishing emails to compromise targets. Their attacks begin with spear-phishing emails, which then abuse Cloudflare Workers to intercept requests and redirect links. The malicious tool, “CloudPhish,” steals login credentials and exfiltrates them through a Discord webhook.
SloppyLemming has also used other cloud tools to collect Google OAuth tokens and exploit vulnerabilities in WinRAR versions prior to 6.23. This threat actor’s approach highlights the need for organizations to implement robust zero-trust architectures and monitor their networks more closely to prevent such attacks.
To mitigate this risk, experts recommend having good control over networks and implementing measures like DNS traffic filtering, email traffic scanning, and Web traffic monitoring. By understanding the attack chains that spread across multiple platforms, organizations can better protect themselves against similar threats in the future.
Source: https://www.darkreading.com/cloud-security/sloppylemming-apt-cloudflare-pakistan-attacks