'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

A threat actor is leveraging Cloudflare Worker cloud services and other tools to perform espionage against government and law enforcement targets in and around the Indian subcontinent.

"SloppyLemming" is an advanced persistent threat (APT) that Crowdstrike (tracking it as Outrider Tiger) has previously linked to India. That attribution rings consistent with the group's latest effort to steal valuable intelligence from a wide range of sensitive organizations in countries hugging India's borders.

Among its victims: government agencies — legislative bodies, foreign affairs, defense — IT and telecommunications providers, construction companies, and Pakistan's sole nuclear power facility. Pakistani police departments and other law enforcement came under particular fire, but SloppyLemming's attacks also spread to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China's energy and academic sectors, and there have been hints of potential targeting in or around Australia's capital, Canberra.

The campaign, described in a new blog post from Cloudflare, employs Discord, Dropbox, GitHub, and most notably Cloudflare's own "Workers" platform together in phishing attack chains that end in credential harvesting and email compromise.

Hackers Using Cloudflare Workers

SloppyLemming attacks generally begin with a spear-phishing email — say, a fake maintenance alert from a police station's IT department. It distinguishes itself more in step two when it abuses Cloudflare's Workers service.

Cloudflare Workers are a serverless computing platform for running scripts that operate on Web traffic flowing through Cloudflare's global servers. They're essentially chunks of JavaScript that intercept requests made to a user's website in transit — before they reach the user's origin server and apply some sort of function to them, for example, redirecting links or adding security headers.

Like other flexible, multifunctional legitimate services, Cloudflare Workers can also be abused for malicious ends. In 2020, Korean hackers used Workers to perform SEO spam, and a backdoor called "BlackWater" used it to interface with its command-and-control (C2) server; the following year, attackers used it to facilitate a cryptocurrency scam.

SloppyLemming uses a custom-built tool called "CloudPhish" to handle credential logging logic and exfiltration. CloudPhish users first define their targets, and their intended channel for exfiltration. Then the program scrapes the HTML content associated with the target's webmail login page, and creates a malicious copycat with it. When the target enters their login information, it's stolen via a Discord webhook.

Abusing Cloud Services

SloppyLemming has other tricks up its sleeve, too. In limited cases, it used a malicious Worker to collect Google OAuth tokens.

Another Worker was used to redirect to a Dropbox URL, where lay a RAR file designed to exploit CVE-2023-38831, a "high" severity, 7.8 out of 10 CVSS-rated issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of this Dropbox-heavy exploit chain was a remote access tool (RAT) that engaged several more Workers.

"They use at least three, or four, or five different cloud tools," notes Blake Darché, head of Cloudforce One at Cloudflare. "Threat actors generally are trying to take advantage of companies by using different services from different companies, so [victims] can't coordinate what they're doing."

To make sense of attack chains that spread across so many platforms, he says, "You've got to have good control of your network, and implement zero-trust architectures so you understand what's going in and out of your network, through all the different peripheries: DNS traffic, email traffic, Web traffic, understanding it in totality. I think a lot of organizations really struggle in this area."