Financially motivated threat actors based in Latin America [1] [2] [3] [4], such as FLUXROOT and PINEAPPLE, have been exploiting Google Cloud serverless projects to conduct credential phishing campaigns and distribute malware targeting online payment platforms in the LATAM region.
Description
FLUXROOT has targeted platforms like Mercado Pago with credential phishing campaigns and distributed the Grandoreiro banking trojan using legitimate services such as Microsoft Azure and Dropbox. PINEAPPLE has utilized Google Cloud infrastructure to spread the Astaroth malware by hosting phishing pages on container URLs on legitimate serverless domains like cloudfunctions[.]net and run.app. These threat actors have been able to evade email gateway protections and blend into normal network activities [1], making detection more challenging [1].
To combat cloud-based threats [3], organizations should implement robust security measures [3], monitor access to resources [3], encrypt data [3], conduct security assessments [3], and educate users about phishing tactics [3]. Collaboration among industry stakeholders [3], law enforcement agencies [3], and cybersecurity experts is crucial in effectively combating malicious actors like FLUXROOT [3]. Google has taken steps to mitigate these activities by taking down malicious Google Cloud projects and updating its Safe Browsing lists [1] [2] [4].
Conclusion
The exploitation of Google Cloud serverless projects for malicious activities poses significant risks to online payment platforms and users in the LATAM region. Implementing strong security measures [3], collaboration among stakeholders, and continuous monitoring are essential to combatting these threats. Google’s efforts to mitigate malicious activities are commendable, but ongoing vigilance and cooperation are necessary to protect against future attacks.
References
[1] https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html
[2] https://www.matricedigitale.it/sicurezza-informatica/pineapple-e-fluxroot-sfruttano-google-cloud-per-il-phishing/
[3] https://www.krofeksecurity.com/uncovering-the-threat-how-pineapple-and-fluxroot-hacker-groups-exploit-google-cloud-for-credential-phishing/
[4] https://www.redpacketsecurity.com/pineapple-and-fluxroot-hacker-groups-abuse-google-cloud-for-credential-phishing/