Security News > 2024 > July > PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing

A Latin America-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes.

The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an online payments platform popular in the LATAM region.

Separately, Google's cloud infrastructure has also been weaponized by another adversary named PINEAPPLE to propagate another stealer malware known as Astaroth as part of attacks targeting Brazilian users.

"PINEAPPLE used compromised Google Cloud instances and Google Cloud projects they created themselves to create container URLs on legitimate Google Cloud serverless domains such as cloudfunctions[.]net and run.app," Google noted.

The search giant said it took steps to mitigate the activities by taking down the malicious Google Cloud projects and updating its Safe Browsing lists.

The weaponization of cloud services and infrastructure by threat actors - ranging from illicit cryptocurrency mining as a consequence of weak configurations to ransomware - has been fueled by the enhanced adoption of cloud across industries.

News URL

https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html