Security News > 2024 > July > PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing
A Latin America-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes.
The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an online payments platform popular in the LATAM region.
Separately, Google's cloud infrastructure has also been weaponized by another adversary named PINEAPPLE to propagate another stealer malware known as Astaroth as part of attacks targeting Brazilian users.
"PINEAPPLE used compromised Google Cloud instances and Google Cloud projects they created themselves to create container URLs on legitimate Google Cloud serverless domains such as cloudfunctions[.]net and run.app," Google noted.
The search giant said it took steps to mitigate the activities by taking down the malicious Google Cloud projects and updating its Safe Browsing lists.
The weaponization of cloud services and infrastructure by threat actors - ranging from illicit cryptocurrency mining as a consequence of weak configurations to ransomware - has been fueled by the enhanced adoption of cloud across industries.
News URL
https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html
Related news
- Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials (source)
- Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform (source)
- Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers (source)
- New phishing toolkit uses PWAs to steal login credentials (source)
- North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics (source)
- Scattered Spider hackers switch focus to cloud apps for data theft (source)
- CloudSorcerer hackers abuse cloud services to steal Russian govt data (source)
- Google fixes Chrome Password Manager bug that hides credentials (source)