A sophisticated threat actor known as “SloppyLemming” is using cloud services, including Cloudflare’s Worker platform, to carry out espionage against government and law enforcement targets in the Indian subcontinent. The group has previously been linked to attacks in India and has now expanded its reach to Bangladesh, Sri Lanka, China, and even Australia.
The SloppyLemming campaign begins with a spear-phishing email that tricks victims into clicking on a link or downloading an attachment. Once inside, the attackers use Cloudflare’s Worker platform to abuse legitimate services like Discord, Dropbox, and GitHub. They then use custom-built tools to harvest credentials and compromise email accounts.
In one notable example, SloppyLemming uses a malicious Cloudflare Worker to collect Google OAuth tokens and another Worker to redirect victims to a Dropbox URL containing a RAR file exploiting a known vulnerability in WinRAR. The attackers eventually install a remote access tool (RAT) on the victim’s system.
Experts warn that SloppyLemming’s use of cloud services to carry out attacks highlights the need for better network security measures, including zero-trust architectures and regular security updates. Organizations must take steps to implement these controls and stay vigilant in detecting and responding to attacks like this one.
Source: https://www.darkreading.com/cloud-security/sloppylemming-apt-cloudflare-pakistan-attacks