Google Cloud projects being hijacked for phishing campaigns
The company has confirmed that multiple hacking groups in Latin America have abused Google Cloud’s infrastructure in their phishing attacks.
In its biennial Threat Horizons ReportAccording to Google, at least two malicious actors, FLUXROOT and PINEAPPLE, have abused Google Cloud as part of their infrastructure.
FLUXROOT conducted a phishing campaign to steal credentials for Mercado Pago, a popular online payment platform for the Latin American region. In its campaign, the threat actor used Google Cloud container URLs to host the phishing pages, the company said.
PINEAPPLE and Astaroth
“Serverless architectures are attractive to developers and enterprises because of their flexibility, cost-effectiveness, and ease of use,” Google said in its report. “These same features make serverless computing services across all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and execute malware and malicious scripts that are specifically tailored to run in a serverless environment.”
FLUXROOT was previously found to be distributing the Grandoreiro banking trojan.
PINEAPPLE, on the other hand, used Google Cloud to distribute Astaroth (also known as Guildma), a popular infostealer malware.
“PINEAPPLE used compromised Google Cloud instances and Google Cloud projects of their own making to create container URLs on legitimate serverless Google Cloud domains such as cloudfunctions[.]net and run.app,” Google explained. “The URLs hosted landing pages that redirected targets to malicious infrastructure that dropped Astaroth.”
In response to these campaigns, the company removed the malicious Google Cloud projects and updated its Safe Browsing list.
“Threat actors are taking advantage of the flexibility and ease of deployment of serverless platforms to spread malware and host phishing pages,” the company concluded. “Threat actors abusing cloud services are changing their tactics in response to defenders’ detection and mitigation efforts.”
Through The Hacker News
