Google Cloud targeted by PINEAPPLE and FLUXROOT for phishing attacks
Google Cloud serverless projects are being used by a Latin American financially motivated threat group, codenamed FLUXROOT, to orchestrate credential phishing campaigns, the The Hacker News has reported.
This event is not isolated, as numerous malefactors in cyberspace are exploiting cloud computing services for malicious objectives. Thus, IT and cybersecurity professionals are facing a pressing challenge in the cybersecurity landscape.
Google’s biannual Threat Horizons Report examines the expansion of serverless architecture and offers advice on what you need to know. As the report notes, the same aspects of serverless technology that make it beneficial to legitimate enterprises – its flexibility, low cost, and simplicity – have attracted cybercriminals. Specifically, threat actors have been turning to this infrastructure as a service to proliferate malware, store and serve phishing pages, and run serverless-compatible scripts.
Regarding FLUXROOT, the group used Google Cloud container URLs to host sophisticated credential phishing pages. Their target was Mercado Pago, a highly popular online payments platform used throughout the Latin American region. The group’s effort relied on impersonating the platform’s login interface to harvest users’ login credentials, with the objective of securing unauthorised access to the victims’ financial accounts.
It’s worth noting that FLUXROOT’s work is not limited to this particular campaign. The group is also known for distributing the information-stealing Grandoreiro banking trojan, a sophisticated malware targeting financial operations. Recently, it has been found that FLUXROOT’s tactics have changed, and it now uses other legitimate cloud services to distribute the malware, including Microsoft Azure and Dropbox. Thus, their tactics have been successful, and cloud services have become another way for the group to conduct their “business.”
But FLUXROOT isn’t the only threat actor exploiting Google’s cloud infrastructure. Another adversary, identified as PINEAPPLE, has been observed using Google Cloud to propagate a different strain of malware known as Astaroth (also called Guildma). This stealer malware primarily targets Brazilian users, highlighting the regional focus of some of these attacks.
PINEAPPLE’s methodology involved both compromising existing Google Cloud instances and creating their own projects. They used these resources to generate container URLs on legitimate Google Cloud serverless domains, such as cloudfunctions[.]net and run.app. These URLs hosted landing pages that would then redirect unsuspecting targets to malicious infrastructure, resulting in the deployment of the Astaroth malware.
Furthermore, PINEAPPLE demonstrated high-level evasion techniques. For instance, they used mail forwarding services that do not drop messages with a failing Sender Policy Framework (SPF). They also incorporated data that was unexpected in the original code and typically in the SMTP Return-Path field, which would trigger time-outs in DNS requests. The addition of this data would also hinder email authentication tests by failing SPF checks. These techniques are very advanced and indicate the rate at which cyber capabilities are increasing.
In response to these threats, Google has taken decisive action. The tech giant has shut down the identified malicious Google Cloud projects and updated its Safe Browsing lists to protect users. However, the incident highlights the ongoing cat-and-mouse game between cybersecurity defenders and threat actors in the cloud space.
The weaponisation of cloud services and infrastructure by cybercriminals is not limited to phishing and malware distribution. Other malicious activities, such as illicit cryptocurrency mining exploiting weak configurations and ransomware attacks, have also seen a surge in cloud environments. This trend is largely driven by the widespread adoption of cloud technologies across various industries.
One of the most significant challenges posed by this shift is the increased difficulty in detecting malicious activities. By leveraging legitimate cloud services, threat actors can more easily blend their operations into normal network traffic, making it harder for security teams to distinguish between legitimate and malicious activities.
Whatever the case, with the current pace of cloud adoption – regardless of whether the vector is uncontrolled or not – it is evident that both the cloud providers and their consumers should remain on guard. Regular security audits, solid means of authentication, and cutting-edge systems of threat detection are rapidly becoming prerequisites for any secure cloud environment. The attacks of tomorrow are never going to be the same as the attacks of yesterday, and neither should our tools against them.
See also: Alphabet surpasses Q2 revenue and profit expectations amid robust ad demand
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.