Credential harvesters in the cloud.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Blake Darche: We were observing some behavior that was indicative of platform abuse. So we spent some time investigating this activity and determined it looked like a persistent threat and so then we did some more analysis of it and then released this report about it.
Dave Bittner: That's Blake Darche, head of Cloudforce One at Cloudflare. Today we're discussing their research unraveling SloppyLemmings operations across South Asia. [ Music ] Well, explain to us who SloppyLemming is and what makes their operations unique compared to some of the other threat actors out there.
Blake Darche: Sure. So SloppyLemming is an Asian based threat actor targeting south and east Asian countries. We do think it's a part of a larger espionage campaign run by this threat actor where they're looking for different information about military and government organizations throughout the Asia Pacific AOR.
Dave Bittner: And my understanding is that cloud service providers play a particular role in SloppyLemming's activities.
Blake Darche: So we've -- Cloudflare's recently been observing a variety of threat actors using disparate cloud services in a way in order to make tracking of their operations very difficult and hinder response. So this threat actor uses four or five different cloud providers and those cloud providers could be everything from like a software as a service platform to everything to an infrastructure platform. And they're kind of chaining these different cloud services together and by doing so they really slow down response operations and it becomes very difficult for say any of the individual cloud providers if only one piece of the operation is on their infrastructure. It becomes difficult for all the different providers to be aware of what the threat actor's doing. And by doing that they hope to stay kind of under the radar and not be discovered by defenders. And the people they're targeting, if that makes sense.
Dave Bittner: Yeah. Well, can you walk us through what a typical credential harvesting process looks like from SloppyLemming?
Blake Darche: Sure. So they've been sending out an email that's been impersonating a group of like IT professionals. And they're saying, "Hey, click this link." When you click this link in this email it goes through -- it brings you to a credential harvesting page. They get the user to enter credentials and then they store those credentials and use those credentials later to gain access to those accounts. And the users are not aware of it. Right? So they're doing this to, you know, hundreds of users at a time. And, you know, quite often with most -- with a lot of cyber attacks it all starts, you know, with a click on a phishing attack or phishing like on an email if that makes sense.
Dave Bittner: Yeah. What are some of the specific industries that they seem to be focused on here?
Blake Darche: This threat actor's predominantly focused on government and military.
Dave Bittner: And they seem to be putting a lot of attention on Pakistan. Yes?
Blake Darche: They do seem to be putting a lot of attention on Pakistan. Interestingly after we published this research we also obtained some intelligence showing they were actually targeting the Ukraine as well which was kind of interesting because it changes their targeting a little bit and shows that even though they are mainly targeting Pakistan they are also very interested in other areas including Bangladesh, Sri Lanka, Nepal, China, and now the Ukraine.
Dave Bittner: One of the things that caught my eye and I suppose it should have been I guess inherent in the name SloppyLemming, but this group isn't very diligent when it comes to their opsec.
Blake Darche: You know different groups have a lot of different opsec behaviors and I would classify this group as less sophisticated in operational security, but I would also not say they're the worst operationally secure group I've seen, if that makes sense. So probably like medium in terms of opsec. We did name them SloppyLemming because they made a lot of sloppy mistakes.
Dave Bittner: Fair enough. Fair enough. What are some of the tools and malware that they're using here for both their malware delivery and then also command and control?
Blake Darche: Yeah. So they're using a variety of different remote access tools or implants as some people might call them to drop on hosts and control those hosts remotely. And it's through those tools, you know, they're trying to obtain data, maintain persistent access to a network, and continue their, you know, targeting of those -- of these.
Dave Bittner: And what sort of mitigations did you and your colleagues there take to disrupt SloppyLemming?
Blake Darche: Sure. Yeah. So we took a variety of mitigations. So we actually took down some of their [inaudible 00:05:37] infrastructure. We reached out to four or five different cloud providers and called service vendors and said, "Hey, we've identified this threat actor. We would like to -- we want to shut down this threat activity." And all the different providers we worked with were able to help us do so in a coordinated fashion. Oftentimes today we're seeing spending some time doing coordinated operations across providers results in causing the threat actors to have a lot more cost to their operation to continue it versus just a single provider taking it down. So we actually reached out to GitHub, Dropbox, and Discord. [ Music ]
Dave Bittner: We'll be right back. Does this group sort of dial in the sophistication of the malware they use or their phishing techniques depending on who they're targeting?
Blake Darche: I don't know if I'd go that far. I would say that over time this group -- this group's malware has gotten more advanced. So they are kind of evolving and becoming more sophisticated over time. But I wouldn't describe them as the most advanced threat group out there either.
Dave Bittner: Okay. Well, what would you say are some of the most effective mitigation strategies then for organizations to protect themselves here?
Blake Darche: Sure. I would say the best mitigation strategies for this are, you know, you want to patch your computers. You know they're using a CDE 2023 38-831 which is a WinRAR CDE to do some of their exploitation. So once again like this is not a zero day. You know oftentimes in security everyone's talking about there's this zero day. There's this zero day. Zero days are a problem, but oftentimes the biggest problem we see are known exploits that people have not patched for. And this is a good example of that. So doing that, patching for that vulnerability, is a good way. And then, you know, really having defense and depth on your email infrastructure. So running an email security product that looks at inbound attacks and tries to prevent inbound attacks from coming in to your environment is very much important and a key to this -- to stopping this threat actor.
Dave Bittner: You know one of the things that caught my eye in the research was the fact that they seemed to be targeting the nuclear and defense sectors. Are there any specific messages here to folks in critical infrastructure in terms of bolstering their defenses here?
Blake Darche: I think there are. I think if you're a -- if you work at all in critical infrastructure or you're a contractor that works for critical infrastructure you serve as an important component of that supply chain. And if you have vulnerabilities in your network then your customer effectively has vulnerabilities in their network. And we've seen this time and time again where we did some work with a company and you know they had a lawn care service and the lawn care service was compromised. And basically the lawn care service is then, you know, trying to attack them. And so people often don't really think about just the chain of those events, but each single domino once the first domino falls the next domino falls faster, if that makes sense.
Dave Bittner: Yeah. It does. You mentioned earlier some collaboration between your team and some other platforms like GitHub and Dropbox. Can we go in to some of that? I mean what do those collaborations typically look like?
Blake Darche: So we work with a variety of different organizations on a case by case basis. So we'll engage them and talk to them about a threat that we're seeing and figure out, hey, can we contain this threat? Do you know anything more about the threat? Can we provide you some insight in to the threat and how it might be abusing your platform? And so in that collaborative manner we're helping to build a better internet and better community doing the cyber defense.
Dave Bittner: Yeah. I have to say it's one of the heartening things when you hear these sorts of stories about how, you know, folks who even day to day might be friendly competitors when it comes to these sorts of things the communication lines are open.
Blake Darche: Absolutely. And I think it's really important that that continues and expands. You know in security oftentimes people talk about sharing and threat sharing and being able to do that on these individual investigations is really, really powerful and really causes an impact to threat actors and helps secure the internet for all of us.
Dave Bittner: So looking at the information you all have gathered here what are your recommendations? What sort of guidance can you give us for folks to protect themselves here?
Blake Darche: I think you've got to know your threat vectors and you have to understand kind of like where you sit in that chain. So to your point earlier if you're involved in say nuclear, anything nuclear related, you have to understand you're going to be a major target and you need to have the right defensive measures in place at your organization. And you need to understand that not -- customers and clients often don't really understand I would say their individual threat levels, and they need to understand what those levels are and then what those vectors are and then what their attack surface is. And, you know, different companies have different attack surface and understanding the totality of your threat level, your attack surface, and the threat vectors the threat actors are using really helps you kind of triangulate and protect your organization from attacks.
Dave Bittner: Any insights or predictions of what we might expect to see from SloppyLemming in the future here?
Blake Darche: We would expect to see similar activity. I think the thing that surprised us most was the recent uncovering of some Ukrainian activity where they looked to be doing something against Ukraine. So it will be interesting to see if that continues, but we would otherwise expect to see similar kind of targeting continue in those areas. [ Music ]
Dave Bittner: Our thanks to Blake Darche from Cloudflare for joining us. The research is titled "Unraveling SloppyLemming's Operations Across South Asia." We'll have a link in the show notes. That is "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We will see you back here next time. [ Music ]
