PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing

Summary:
A financially motivated threat actor based in Latin America (LATAM), codenamed FLUXROOT, has been leveraging Google Cloud serverless projects to conduct credential phishing campaigns, underscoring the misuse of cloud computing for nefarious activities. Google's biannual Threat Horizons Report emphasizes that serverless architectures are highly attractive to developers and enterprises due to their flexibility, cost-effectiveness, and ease of use. However, these same features also appeal to threat actors, who exploit serverless computing services across all cloud providers. These malicious actors use these platforms to deliver and communicate with their malware, host phishing pages, and execute malicious scripts designed specifically for serverless environments.


The FLUXROOT campaign involved using Google Cloud container URLs to host phishing pages aimed at harvesting login information for Mercado Pago, a popular online payments platform in the LATAM region. FLUXROOT, known for distributing the Grandoreiro banking trojan, has also utilized legitimate cloud services like Microsoft Azure and Dropbox in their recent campaigns.


In a separate incident, another threat actor named PINEAPPLE weaponized Google's cloud infrastructure to spread the Astaroth stealer malware targeting Brazilian users. PINEAPPLE used compromised Google Cloud instances and self-created Google Cloud projects to generate container URLs on legitimate Google Cloud serverless domains.These URLs hosted landing pages that redirected targets to malicious infrastructure, leading to the deployment of Astaroth.


Security Officer Comments:
PINEAPPLE also attempted to bypass email gateway protections by using mail forwarding services that do not discard messages with failed Sender Policy Framework (SPF) records. Additionally, they incorporated unexpected data in the SMTP Return-Path field to trigger DNS request timeouts, causing email authentication checks to fail.


To combat these malicious activities, Google has taken steps to mitigate the threat by taking down the malicious Google Cloud projects and updating its Safe Browsing lists. The weaponization of cloud services and infrastructure by threat actors has been driven by the increased adoption of cloud across various industries. This trend allows adversaries to blend into normal network activities, making detection more challenging.


Suggested Corrections:

  • For identities and permissions, closely manage accounts with high privilege and administrator access and apply least privilege principles to ensure each user has the minimum required permissions.
  • Incorporate monitoring and controls to detect malware, unwanted software, exploits, and other host-based threats
  • Use Workspace alerts for leaked passwords to monitor for compromised credentials, which are often stolen by infostealer malware. Implement a playbook resetting user credentials and checking affected hosts for signs of malware.
  • If using Google Cloud Run, from a back-end services perspective, containerized workload risk mitigations include incorporating Google Security Command Center’s Container Threat Detection and refraining from downloading untrusted containers.
  • Configure Cloud Functions network settings and Cloud Run network settings to enable control of network ingress and egress to and from individual functions.

Link(s):
https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html

PDF:  https://services.google.com/fh/files/misc/threat_horizons_report_h2_2024.pdf