HACKER GROUPS called PINEAPPLE and FLUXROOT Exploit Google Cloud to Conduct Credential Phishing
FLUXROOT, a financially driven group originating from Latin America (LATAM), has been seen utilizing Google Cloud’s serverless projects for orchestrating credential phishing operations, underscoring the exploitation of cloud computing infrastructure for malign intent.
“Developers and corporations find serverless architectures appealing due to their adaptability, cost efficiency, and user-friendliness,” mentioned Google in its semiannual Threat Horizons Report [PDF] shared with The Hacker News.
“These traits also make serverless computing services provided by various cloud providers enticing to malevolent entities who utilize them for disseminating malware, hosting illicit phishing sites, and executing harmful scripts tailored to function in a serverless ecosystem.”
The scheme entailed the deployment of Google Cloud container links to host deceptive pages aimed at extracting login details linked with Mercado Pago, a preferred online payment service in the LATAM area.
Google stated that FLUXROOT is recognized for disseminating the Grandoreiro banking trojan and recent initiatives have included exploiting legitimate cloud services such as Microsoft Azure and Dropbox for delivering the malware.
In a separate incident, adversaries using the moniker PINEAPPLE leveraged Google’s cloud infrastructure to proliferate a data-stealing malware referred to as Astaroth (also known as Guildma) in assaults targeting users from Brazil.
“PINEAPPLE leveraged compromised Google Cloud instances and self-created Google Cloud projects to produce container links on legitimate Google Cloud serverless domains like cloudfunctions[.]net and run.app,” Google pointed out. “The links directed individuals to malicious infrastructure hosting Astaroth.”
Moreover, the cybercriminals attempted to sidestep email security measures by exploiting mail forwarding services that do not discard messages lacking Sender Policy Framework (SPF) records or inserting unexpected data in the SMTP Return-Path field to induce a DNS request timeout, leading to email authentication failures.
The tech giant revealed that it intervened by shutting down the malicious Google Cloud projects and updating its Safe Browsing lists.
The misuse of cloud services and architecture by malefactors – spanning from unauthorized cryptocurrency mining as a result of inadequate setups to ransomware – has been fueled by the wider embrace of cloud technology across various sectors.
Furthermore, this approach aids cyber adversaries in blending seamlessly into routine network operations, thereby making their detection significantly more challenging.
“Cybercriminals exploit the versatility and deployment simplicity of serverless platforms to spread malware and host deceptive websites,” as per the company. “Adversaries misusing cloud services adapt their strategies in response to defensive actions employed by security teams.”
About Author
