PINEAPPLE and FLUXROOT Hacker Groups Exploit Google Cloud for Credential Phishing
TeamHood
2 min read
In a concerning development, two hacker groups known as PINEAPPLE and FLUXROOT have been identified leveraging Google Cloud’s serverless architecture to conduct sophisticated credential phishing campaigns.
FLUXROOT: Targeting Mercado Pago Users
FLUXROOT, a financially motivated group from Latin America (LATAM), has been exploiting Google Cloud container URLs to host phishing pages aimed at stealing login information from Mercado Pago users, a popular online payment platform in the region. This group is notorious for distributing the Grandoreiro banking trojan. They have also utilized other legitimate cloud services such as Microsoft Azure and Dropbox to disseminate their malware.
PINEAPPLE: Spreading Astaroth Malware
Similarly, the PINEAPPLE group has been using Google Cloud instances and self-created projects to create container URLs on legitimate Google Cloud domains like cloudfunctions[.]net and run.app. These URLs direct victims to malicious infrastructure hosting the Astaroth (also known as Guildma) stealer malware, targeting users in Brazil. PINEAPPLE has attempted to bypass email gateway protections by utilizing mail forwarding services and manipulating email fields to trigger DNS request timeouts, thus evading email authentication checks.
Mitigation Efforts by Google
Google has responded to these threats by shutting down the malicious Google Cloud projects and updating its Safe Browsing lists to warn users about phishing pages. The company highlighted the challenges posed by threat actors who exploit the flexibility and ease of deployment offered by serverless platforms. These platforms, while beneficial to developers and enterprises for their cost-effectiveness and simplicity, also provide an attractive vector for cybercriminals.
Implications and Broader Trends
The abuse of cloud services by hackers is not a new phenomenon but is becoming increasingly sophisticated. Cybercriminals have been known to weaponize cloud infrastructure for various malicious activities, including cryptocurrency mining and ransomware attacks. The ability of these actors to blend into normal network activities complicates detection efforts.
The recent incidents underscore the need for enhanced security measures and vigilance among cloud service providers and users. As cyber threats evolve, so too must the strategies to combat them. This includes continuous monitoring, swift mitigation actions, and robust security protocols to protect sensitive information and maintain trust in cloud services.
