Credential harvesters in the cloud. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: Credential Harvesters in the Cloud [Research Saturday] - November 16, 2024

In this episode of CyberWire Daily, hosted by N2K Networks, Dave Buettner engages in an insightful conversation with Blake Darche, Head of Cloudforce One at Cloudflare. The discussion delves deep into the operations of a persistent threat actor known as "Sloppy Lemmings," their credential harvesting tactics in the cloud, and the broader implications for cybersecurity, especially within critical infrastructure sectors.

Introduction to Sloppy Lemmings

Blake Darche begins by introducing Sloppy Lemmings, highlighting their regional focus and strategic objectives.

Blake Darche [02:20]: "We were observing some behavior that was indicative of platform abuse, so we spent some time investigating this activity and determined it looked like a persistent threat. And so then we did some more analysis of it and then released this report about it."

Sloppy Lemmings is an Asian-based threat actor primarily targeting South and East Asian nations. Their operations are part of a broader espionage campaign aimed at extracting sensitive information from military and government organizations across the Asia-Pacific region.

Blake Darche [03:05]: "Sloppy Lemming is an Asian-based threat actor targeting south and East Asian countries. We do think it's part of a larger espionage campaign run by this threat actor where they're looking for different information about military and government organizations throughout the Asia Pacific AOR."

Utilization of Cloud Services for Operational Evasion

A significant aspect of Sloppy Lemmings' strategy involves leveraging multiple cloud service providers to obfuscate their activities and complicate mitigation efforts.

Blake Darche [03:40]: "This threat actor uses four or five different cloud providers... they're kind of chaining these different cloud services together. And by doing so, they really slow down response operations... it becomes difficult for all the different providers to be aware of what the threat actor is doing."

By dispersing their operations across various platforms—from Software as a Service (SaaS) to Infrastructure as a Service (IaaS)—Sloppy Lemmings aims to remain under the radar, making it challenging for any single provider to fully trace or halt their malicious activities.

Credential Harvesting Techniques

The crux of Sloppy Lemmings' operations lies in their sophisticated credential harvesting methodologies, primarily executed through targeted phishing campaigns.

Blake Darche [04:42]: "They've been sending out an email that's been impersonating a group of IT professionals... it brings you to a credential harvesting page. They get the user to enter credentials and then they store those credentials and use those credentials later to gain access to those accounts."

These phishing emails deceive recipients into believing they are interacting with legitimate IT professionals, leading them to malicious websites where their credentials are captured. This method allows Sloppy Lemmings to harvest credentials from hundreds of users simultaneously, facilitating unauthorized access to targeted accounts.

Targeted Sectors and Geographical Focus

While initially concentrated on Pakistan, recent intelligence indicates an expansion of Sloppy Lemmings' targets to include Ukraine and other nations such as Bangladesh, Sri Lanka, Nepal, and China.

Blake Darche [05:38]: "After we published this research, we also obtained some intelligence showing they were actually targeting Ukraine as well... including Bangladesh, Sri Lanka, Nepal, China, and now Ukraine."

Their focus on government and military sectors underscores the group's intent to gather high-value intelligence, potentially influencing geopolitical dynamics.

Operational Security and Tool Sophistication

Despite their persistent threats, Sloppy Lemmings exhibit notable lapses in operational security (OPSEC), earning them their moniker.

Blake Darche [06:21]: "We did name them Sloppy Lemming because they made a lot of sloppy mistakes."

However, it's essential to recognize that their malware capabilities have been evolving, indicating a trajectory towards increased sophistication, albeit not at the forefront of advanced threat actors.

Blake Darche [11:06]: "Over time this group's malware has gotten more advanced. So they are kind of evolving and becoming more sophisticated over time."

Mitigation Strategies Employed by Cloudflare

In combating Sloppy Lemmings, Cloudflare implemented a multi-faceted mitigation approach, emphasizing collaboration across various cloud providers.

Blake Darche [07:22]: "We actually took down some of their code on our infrastructure. We reached out to four or five different cloud providers... GitHub, Dropbox, and Discord."

By coordinating with platforms like GitHub, Dropbox, and Discord, Cloudflare successfully disrupted Sloppy Lemmings' operations, increasing the cost and complexity for the threat actor to maintain their activities.

Recommendations for Organizations

Blake Darche provides actionable insights for organizations, especially those within critical infrastructure sectors, to bolster their defenses against such threats.

Patch Management: Ensure all systems are updated to mitigate known vulnerabilities, specifically addressing CVEs exploited by Sloppy Lemmings.

Blake Darche [11:31]: "Patching for that vulnerability is a good way... having defense in depth on your email infrastructure."
Email Security: Implement robust email security solutions to detect and prevent phishing attempts from infiltrating the organization's network.
Understanding Threat Vectors: Organizations must comprehend their position within the threat landscape, recognizing their role in the supply chain and the potential vulnerabilities therein.

Blake Darche [14:46]: "You have to know your threat vectors and you have to understand like where you sit in that chain."
Defensive Depth: Employ a layered security approach to ensure that if one defense mechanism fails, others remain to protect the organization.

Future Outlook and Predictions

Looking ahead, Cloudflare anticipates that Sloppy Lemmings will continue their current trajectory of targeting similar sectors and expanding their geographical focus.

Blake Darche [15:40]: "Here we would expect to see similar activity... especially with the unexpected targeting of Ukraine."

This expansion highlights the dynamic nature of cyber threats and the necessity for organizations to remain vigilant and adaptive in their security postures.

Closing Thoughts

The episode underscores the importance of collaborative efforts in cybersecurity, as exemplified by Cloudflare's partnership with other cloud service providers to neutralize threats. Blake Darche emphasizes the significance of threat intelligence sharing and coordinated responses to effectively counteract persistent and evolving cyber adversaries.

Blake Darche [14:00]: "We're helping to build a better Internet and better community doing the cyber defense."

As cyber threats become increasingly sophisticated and widespread, such collaborative endeavors are pivotal in safeguarding critical infrastructure and maintaining the integrity of global digital ecosystems.

For more detailed insights, listeners are encouraged to access the full research report titled "Unraveling Sloppy Lemmings Operations Across South Asia," available in the show notes.

Loading summary

Transcript34 lines

[00:02]
Blake Darche
You're listening to the Cyberwire network, powered by N2K.
[00:14]
Dave Buettner
Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LZ Legal Services llc. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
[02:21]
Blake Darche
We were observing some behavior that was indicative of platform abuse, so we spent some time investigating this activity and determined it looked like a persistent threat. And so then we did some more analysis of it and then released this report about it.
[02:40]
Dave Buettner
That's Blake Darche, head of Cloudforce One at Cloudflare. Today we're discussing their research unraveling Sloppy Lemmings operations across South Asia. Well explained. Explain to us who Sloppy Lemming is and what makes their operations unique compared to some of the other threat actors out there?
[03:06]
Blake Darche
Sure. So Sloppy Lemming is a Asian based threat actor targeting south and East Asian countries. We do think it's a part of a larger espionage campaign run by this threat actor where they're looking for different information about military and government organizations throughout the Asia Pacific aor.
[03:34]
Dave Buettner
And my understanding is that cloud service providers play a particular role in Sloppy Lemmings activities.
[03:40]
Blake Darche
So we've cloudflare has recently been observing a variety of threat actors using disparate cloud services in a way, in order to make tracking of their operations very difficult and hinder response. So they, this threat actor uses four or five different cloud providers, and those cloud providers could be everything from like a software as a service platform to everything to an infrastructure platform. And they're kind of chaining these different cloud services together. And by doing so, they really slow down response operations. And it becomes very difficult for, say, any of the individual cloud providers if only one piece of the operation is on their infrastructure. It becomes difficult for all the different providers to be aware of what the threat actor is doing. And by doing that, they hope to stay kind of under the radar and not be discovered by defenders and the people they're targeting, if that makes sense.
[04:35]
Dave Buettner
Yeah. Well, can you walk us through what a typical credential harvesting process looks like from Sloppy Lemming?
[04:43]
Blake Darche
Sure. So they've been sending out an email that's been impersonating a group of like IT professionals and they're saying, hey, click this link. When you click this link in this email, it goes through. It brings you to a credential harvesting page. They get the user to enter credentials and then they store those credentials and use those credentials later to gain access to those accounts. And the users are not aware of it. Right. So they're doing this to hundreds of users at a time. And quite often with a lot of cyber attacks, it all starts with a click on a phishing attack or phishing like on an email. That makes sense.
[05:22]
Dave Buettner
Yeah. What are some of the specific industries that they seem to be focused on here?
[05:27]
Blake Darche
This threat actor is predominantly focused on government and military, and they seem to.
[05:34]
Dave Buettner
Be putting a lot of attention on Pakistan.
[05:38]
Blake Darche
Yes, they do seem to be putting a lot of attention on Pakistan. Interestingly, after we published this research, we also obtained some intelligence showing they were actually targeting the Ukraine as well, which was kind of interesting because it changes their targeting a little bit and shows that even though they're mainly targeting Pakistan, they're also very interested in other areas, including Bangladesh, Sri Lanka, Nepal, China, and now the Ukraine.
[06:09]
Dave Buettner
One of the things that caught my eye, and I suppose it should have been, I guess, inherent in the name sloppy Lemming, but this group isn't very diligent when it comes to their opsec.
[06:21]
Blake Darche
You know, different groups have a lot of different OPSEC behaviors, and I would classify this group as less sophisticated in operational security. But I would also not say they're the worst operationally secure group I've seen, if that makes sense. So probably like medium in terms of. But we did name them Sloppy Lemon because they made a lot of sloppy mistakes.
[06:45]
Dave Buettner
Fair enough, fair enough. What are some of the tools and malware that they're using here for both their malware delivery and then also command and control?
[06:54]
Blake Darche
Yeah, so they're using a variety of different remote access tools, or implants as some people might call them, to drop on hosts and control those hosts remotely. And it's through those tools, you know, they're trying to obtain data, maintain persistent access to a network, and continue their, you know, targeting of those entities.
[07:16]
Dave Buettner
And what sort of mitigations did you and your colleagues there take to disrupt? Sloppy lemming.
[07:23]
Blake Darche
Sure, sure. Yeah, so we took a variety of mitigations. So we actually took down some of their code on our infrastructure. We reached out to four or five different cloud providers and cloud service vendors and said, hey, we've identified this threat actor. We would like to we want to shut down this threat activity. And all the different providers we worked with were able to help us do so in a coordinated fashion. Oftentimes today we're seeing spending some time doing coordinated operations across providers results in causing the threat actors to have a lot more cost to their operation to continue it, versus just a single provider taking it down. So we actually reached out to GitHub, Dropbox, and Discord.
[08:09]
Dave Buettner
We'll be right back. And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools. Effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft CrowdStrike and Cisco 35 vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Does this group sort of dial in the sophistication of the malware they use or their phishing techniques, depending on who they're targeting?
[11:07]
Blake Darche
I don't know if I'd go that far. I would say that over time this group's malware has gotten more advanced. So they are kind of evolving and becoming more sophisticated over time. But I wouldn't describe them as the most advanced threat group out there either.
[11:25]
Dave Buettner
Okay, well, what would you say are some of the most effective mitigation strategies then for organizations to protect themselves here?
[11:32]
Blake Darche
Sure. I would say the best mitigation strategies for this are, you know, you want to patch your computers, you know, they're using a CVE 20, 23, 38, 31, which is a WinRAR CVE to do some of their exploitation. So once again, like, this is not a zero day. You know, oftentimes in security, everyone's talking about there's this zero day, there's this zero day. Zero days are a problem. But oftentimes the biggest problem we see are known exploits that people have not patched for. And this is a good example of that. So doing that patching for that vulnerability is a good way. And then, you know, really having defense in depth on your email infrastructure. So running an email security product that looks at inbound attacks and tries to prevent inbound attacks from coming into your environment is very much important and a key to this, to stopping this threat actor.
[12:23]
Dave Buettner
One of the things that caught my eye in the research was the fact that they seem to be targeting the nuclear and defense sectors. Are there any specific messages here to folks in critical infrastructure in terms of bolstering their defenses here?
[12:40]
Blake Darche
I think there are. I think if you're a, if you're if you work at all in critical infrastructure or you're a contractor that works for critical infrastructure, you serve as an important component of that supply chain. And if you have vulnerabilities in your network, then your customer effectively has vulnerabilities in their network. And we've seen this time and time again where we did some work with a company and you know, they had a lawn care service and the lawn care service was compromised. And basically the lawn care service is then, you know, trying to attack them. And so people often don't really think about just the chain of those events, but each single domino, once the first domino falls, the next domino falls faster, if that makes sense.
[13:23]
Dave Buettner
Yeah, it does. You mentioned earlier some collaboration between your team and some other platforms like GitHub and Dropbox. Can we go into some of that? I mean, what do those collaborations typically look like?
[13:37]
Blake Darche
So we work with a variety of different organizations on a case by case basis. So we'll engage them and talk to them about a threat that we're seeing and figure out, hey, can we contain this threat? Do you know anything more about the threat? Can we provide you some insight into the threat and how it might be abusing your platform? And so in that collaborative manner, we're helping to build a better Internet and better community doing the cyber defense.
[14:01]
Dave Buettner
Yeah, I have to say it's one of the heartening things when you hear these sorts of stories about how folks who even day to day might be even friendly competitors when it comes to these sorts of things. The communication lines are open.
[14:16]
Blake Darche
Absolutely. And I think it's really important that that continues and expands in security. Oftentimes people talk about sharing and threat sharing and being able to do that on these individual investigations is really, really powerful and really causes an impact to threat actors and helps secure the Internet for all of us.
[14:38]
Dave Buettner
So looking at the information you all have gathered here, what are your recommendations? What sort of guidance can you give us for folks to protect themselves here?
[14:47]
Blake Darche
I think you got to know your threat vectors and you have to understand kind of like where you sit in that chain. So to your point earlier, if you're involved in say nuclear, anything nuclear related, you have to understand you're going to be a major target and you need to have the right defensive measures in place at your organization. And you need to understand that not customers and clients often don't really understand, I would say, their individual threat levels and they need to understand what those levels are and then what those vectors are and then what their attack surfaces and know different companies have different attack service and understanding the totality of your threat level, your attack service and the threat vectors the threat actors are using really helps you kind of triangulate and protect your organization from attacks.
[15:34]
Dave Buettner
Any insights or predictions of what we might expect to see from Sloppy Lemming in the future?
[15:40]
Blake Darche
Here we would expect to see similar activity. I think the thing that surprised us most was the recent uncovering of some Ukrainian activity that were there look to be doing some things against Ukraine. So it'll be interesting to see if that continues, but we would otherwise expect to see similar kind of targeting continue in those areas.
[16:11]
Dave Buettner
Our thanks to Blake Darche from Cloudflare for joining us. The research is titled Unraveling Sloppy Lemmings Operations Across South Asia. We'll have a link in the show notes that is Research Saturday brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next time. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business. Everywhere you do business.