Skip to content

Hacker groups found abusing Google Cloud for credential phishing

  • by
  • 2 min read

Serverless architectures are great for developers, considering their flexibility, cost-effectiveness, and ease of use. However, these advantages also apply to threat actors, as Google finds at least two hacking groups, Pineapple and Fluxroot, using its Google Cloud serverless projects to launch credential phishing attacks.

In its Threat Horizons report, the search giant details that in mid-2023, the Threat Analysis Group (TAG) and Safe Browsing detected Google Cloud abuse by the Pineapple group. The group leveraged Cloud Run and Cloud Functions to distribute the Astaroth info stealer. In addition to using compromised Google Cloud instances and Google Cloud projects, they created themselves on legitimate Google Cloud serverless domains to add more legitimacy to their campaign.

The threat actor also reportedly attempted to bypass email gateway protections via mail forwarding services that lack Sender Policy Framework (SPF) records in their messages. Another tactic was to add unexpected data in the STMP Return-Path field to trigger a DNS request timeout, eventually causing failed email authentication checks.

A phishing page impersonating the Brazilian government’s electronic tax document system. | Source: Google

Fluxroot also operates on a similar process, although it’s more targeted. The group’s campaign uses Google Cloud container URLS to host credential phishing pages that try to steal login information from Mercado Pago, a popular payment platform in the Latin American region where the group is primarily based.

Fluxroot is also known for using the Grandoreiro banking trojan. Additionally, the group’s campaigns use more than just Google Cloud. Evidence suggests the group has exploited other legitimate cloud services like Azure and Dropbox to distribute malware.

The adoption of serverless and cloud architectures is quickly rising among hacking groups globally. These architectures keep the costs of running campaigns down and allow threat groups to blend into what would otherwise seem normal network abilities. This keeps operating costs to a minimum while also making detection difficult.

In the News: Two Russians sanctioned over attacks on US critical infrastructure

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>