Two Latin America (LATAM)-based hacker groups, FLUXROOT and PINEAPPLE, have been found abusing Google Cloud serverless projects to conduct credential phishing campaigns, demonstrating the potential misuse of cloud computing models for malicious activities.
Google’s biannual Threat Horizons Report (PDF), shared with The Hacker News, reveals that serverless architectures—popular for their flexibility, cost-effectiveness, and ease of use—are being exploited by threat actors. These features make them appealing for delivering malware, hosting phishing pages, and executing malicious scripts tailored for serverless environments.
FLUXROOT has been using Google Cloud container URLs to host credential phishing pages targeting users of Mercado Pago, a popular online payments platform in LATAM. Known for distributing the Grandoreiro banking trojan, FLUXROOT has also utilized legitimate cloud services like Microsoft Azure and Dropbox to spread malware.
Meanwhile, the PINEAPPLE group has weaponized Google’s cloud infrastructure to propagate Astaroth (aka Guildma) malware, targeting Brazilian users. PINEAPPLE created container URLs on legitimate Google Cloud serverless domains such as cloudfunctions(.)net and run.app to host landing pages that redirected targets to malicious infrastructure.
FLUXROOT and PINEAPPLE cybercriminal groups exploiting #Google Cloud for phishing attacks targeting Mercado Pago users in Latin America.
As businesses increasingly adopt cloud services, cybercriminals are adapting their tactics. Understanding these evolving threats is crucial… pic.twitter.com/4X0sBYdzYi
— Mohit Kumar (@unix_root) July 22, 2024
To bypass email gateway protections, PINEAPPLE used mail forwarding services that do not drop messages with failed Sender Policy Framework (SPF) records and incorporated unexpected data in the SMTP Return-Path field to trigger DNS request timeouts, causing email authentication checks to fail.
In response, Google has taken down the malicious projects and updated its Safe Browsing lists to mitigate these activities. The weaponization of cloud services by threat actors highlights the increased adoption of cloud across industries and the added challenge of detecting such threats as they blend into normal network activities.
The misuse of cloud services for malicious purposes underscores the importance of vigilant security measures and continuous monitoring to protect against evolving cyber threats.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.