CyberWire Daily - Credential harvesters in the cloud. [Research Saturday]
Episode Date: November 16, 2024This week we are joined by, Blake Darché, Head of Cloudforce One at Cloudflare, to discuss their work on "Unraveling SloppyLemming’s Operations Across South Asia." Cloudforce One's investigation i...nto the advanced threat actor "SloppyLemming" reveals an extensive espionage campaign targeting South and East Asia, with a focus on Pakistan's government, defense, telecommunications, and energy sectors. Leveraging multiple cloud service providers, SloppyLemming employs tactics like credential harvesting, malware delivery, and command-and-control (C2) operations, often relying on open-source adversary emulation tools like Cobalt Strike. Despite its activities, the actor's poor operational security (OPSEC) has allowed investigators to gain valuable insights into its infrastructure and tooling. The research can be found here: Unraveling SloppyLemming’s operations across South Asia Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We were observing some behavior that was indicative of platform abuse. So we spent
some time investigating this activity and determined it looked like a persistent threat.
And so then we did some more analysis of it and then released this report about it.
That's Blake Darche, head of CloudForce One at CloudFlare.
Today, we're discussing their research unraveling sloppy lemming's operations across South Asia.
Well, explain to us who Sloppy Lemming is and what makes their operations unique
compared to some of the other threat actors out there.
Sure. So Sloppy Lemming is an Asian-based threat actor
targeting South and East Asian countries.
We do think it's a part of a larger espionage campaign run by this threat actor,
where they're looking for different information about military and government organizations throughout the Asia-Pacific AOR.
And my understanding is that cloud service providers
play a particular role in Sloppy Lemming's activities?
So Cloudflare has recently been observing a variety of threat actors
using disparate cloud services in a way in order to make tracking of their operations very difficult
and hinder response.
So this threat actor uses four or five different cloud providers,
and those cloud providers could be everything
from a software-as-a-service platform
to everything to an infrastructure platform.
And they're kind of chaining these different cloud services together.
And by doing so, they really slow down response operations.
And it becomes very difficult for, say, any of the individual cloud providers,
if only one piece of the operation is on their infrastructure.
It becomes difficult for all the different providers to be aware of what the threat actor is doing.
And by doing that, they hope to stay kind of under the radar and not be discovered by defenders and the people they're targeting,
if that makes sense. Yeah. Well, can you walk us through
what a typical credential harvesting process looks like from
Sloppy Lemming? Sure. So they've been sending out an email that's been impersonating
a group of
IT professionals
and they're saying,
hey, click this link.
When you click this link in this email,
it goes through,
it brings you to a credential harvesting page.
They get the user to enter credentials
and then they store those credentials
and use those credentials later
to gain access to those accounts.
And the users are not aware of it.
So they're doing this to hundreds of users at a time.
And quite often, with a lot of cyber attacks,
it all starts with a click on a phishing attack
or a phishing on an email, if that makes sense.
Yeah.
What are some of the specific industries
that they seem to be focused on here?
This threat actor is predominantly focused
on government and military.
And they seem
to be
putting a lot of attention on Pakistan?
Yes?
They do seem to be putting a lot of attention on
Pakistan. Interestingly,
after we published this research, we also
obtained some intelligence showing they were actually
targeting the Ukraine as well.
Which was kind of interesting because it changes their targeting a little bit
and shows that even though they're mainly targeting Pakistan,
they're also very interested in other areas,
including Bangladesh, Sri Lanka, Nepal, China, and now the Ukraine.
One of the things that caught my eye,
and I suppose it should have been,
I guess, inherent in the name Sloppy
Lemming, but this group
isn't very
diligent when it comes to their OPSEC?
You know, different groups
have a lot of different OPSEC behaviors,
and I would classify this group as
less sophisticated
in operational security,
but I would also not say
they're the worst operationally secure group
I've seen, if that makes sense.
So probably like medium in terms of all that stuff.
But we did name them Sloppy Lemon
because they made a lot of sloppy mistakes.
Fair enough.
What are some of the tools and malware
that they're using here
for both their malware delivery and then also command and control?
Yeah, so they're using a variety of different remote access tools or implants, as some people might call them, to drop on hosts and control those hosts remotely.
And it's through those tools, you know, they're trying to obtain data, maintain persistent access to a network and continue their
targeting of those entities.
And what sort of mitigations
did you and your colleagues there take to
disrupt Sloppy Lemmy?
So we took a variety of mitigations. So we actually took down
some of their code on our infrastructure. We reached out to
four or five different cloud providers and cloud service vendors and said, hey, we've identified this threat actor, we would like
to, we want to shut down this threat activity. And all the different providers we worked with were
able to help us do so in a coordinated fashion. Oftentimes today we're seeing spending some time
doing coordinated operations across providers results in causing
the threat actors to have a lot more
cost to their operation to continue it
versus just a single provider
taking it down. So we actually reached out
to GitHub, Dropbox,
and Discord.
We'll be right back.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Does this group sort of dial in the sophistication of the malware they use or their phishing techniques depending on who they're targeting?
I don't know if I'd go that far.
I would say that over time, this group's malware has gotten more advanced.
So they are kind of evolving and becoming more sophisticated over time.
But I wouldn't describe them as the most advanced threat group out there either.
Okay.
Well, what would you say are some of the most effective mitigation strategies, then,
for organizations to protect themselves here?
Sure.
I would say the best mitigation strategies for this are, you know, you want to patch your computers.
You know, they're using a CVE-2023-38831,
which is a WinRAR CVE,
to do some of their exploitation.
So once again, like, this is not a zero day.
You know, oftentimes in security,
everyone's talking about,
there's this zero day, there's this zero day.
Zero days are a problem,
but oftentimes the biggest problem we see
are known exploits that people have not patched for.
And this is a good example of that.
So doing that, patching for And this is a good example of that.
So doing that, patching for that vulnerability is a good way. And then really having defense in depth on your email infrastructure. So running an email security product that looks at inbound
attacks and tries to prevent inbound attacks from coming into your environment is very much
important and a key to stopping this threat effort.
One of the things that caught my eye in the research was the fact that they seem to be targeting the nuclear and defense sectors.
Are there any specific messages here to folks in critical infrastructure in terms of bolstering their defenses here?
I think there are. I think if
you work at all in critical infrastructure or you're a contractor that works for critical
infrastructure, you serve as an important component of that supply chain. And if you have vulnerabilities
in your network, then your customer effectively has vulnerabilities in their network. And we've
seen this time and time again where we did some work with a company
and they had a lawn care service and the lawn care service was compromised.
And basically the lawn care service is then trying to attack them.
And so people often don't really think about just the chain of those events,
but each single domino, once the first domino falls,
the next domino falls
faster, if that makes sense. Yeah, it does. You mentioned earlier some collaboration between your
team and some other platforms like GitHub and Dropbox. Can we go into some of that? I mean,
what do those collaborations typically look like? So we work with a variety of different organizations
on a case-by-case basis. So we'll
engage them and talk to them about a threat that we're seeing and figure out, hey, can we contain
this threat? Do you know anything more about the threat? Can we provide you some insight into the
threat and how it might be abusing your platform? And so in that collaborative manner, we're helping
to build a better internet and better community doing the defense. Yeah, I have to say, it's one of the heartening things
when you hear these sorts of stories about how folks who even day-to-day
might be even friendly competitors,
when it comes to these sorts of things, the communication lines are open.
Absolutely, and I think it's really important that that continues and expands.
Absolutely. And I think it's really important that that continues and expands. In security, oftentimes people talk about sharing and threat sharing and being able to do that on these individual investigations is really, really powerful and really causes an impact to threat actors and helps secure the internet for all of us. So looking at the information you all have gathered here, what are your recommendations?
What sort of guidance can you give us for folks to protect themselves here? I think you've got to
know your threat factors and you have to understand kind of like where you sit in that chain. So to
your point earlier, if you're involved in say nuclear, anything nuclear related, you have to
understand you're going to be a major target and you need to have
the right defensive measures in place at your organization.
And you need to understand that customers and clients
often don't really understand, I would say, their individual threat levels
and they need to understand what those levels are and then what those
vectors are and then what their attack surface is.
Different companies have different attack service,
and understanding the totality of your threat level, your attack surface,
and the threat vectors that the threat actors are using
really helps you kind of triangulate and protect your organization from attacks.
Any insights or predictions of what we might expect to see
from Sloppy Lemming in the future here?
We would expect to see from Sloppy Lemming in the future here?
We would expect to see similar activity. I think the thing that surprised us most was the recent uncovering of some Ukrainian activity that were there, looked to be doing something
against Ukraine. So it'll be interesting to see if that continues, but we would otherwise expect
to see similar kind of targeting continue in those areas.
Our thanks to Blake Darche from Cloudflare for joining us.
The research is titled Unraveling Sloppy Lemmings Operations Across South Asia.
We'll have a link in the show notes.
That is Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your
biggest investment, your people. We make you smarter about your teams while making your teams
smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot
Peltzman and Trey Hester. Our executive producer is Jennifer Iben. Our executive editor is Brandon
Karf. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening.
We'll see you back here next time.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.