Hacker News has reported that a financially motivated threat group in Latin America, codenamed FLUXROOT, uses Google Cloud serverless projects to orchestrate credential phishing campaigns.
This event is not isolated, as numerous cyberspace malefactors exploit cloud computing services for malicious objectives. Thus, IT and cybersecurity professionals face a pressing challenge in the cybersecurity landscape.
Google’s biannual Threat Horizons Report examines the expansion of serverless architecture and offers advice on what you need to know. The report notes that the same aspects of serverless technology that benefit legitimate enterprises—flexibility, low cost, and simplicity—have attracted cyber criminals.
Specifically, threat actors have been turning to this infrastructure as a service to increase malware, store and serve phishing pages, and run serverless-compatible scripts.
Regarding FLUXROOT, the group used Google Cloud container URLs to host sophisticated credential phishing pages. Their target was Mercado Pago, a viral online payment platform used throughout the Latin American region. The group’s effort impersonated the platform’s login interface to harvest users’ login credentials and secure unauthorized access to the victim’s financial accounts.
Notably, FLUXROOT’s work is not limited to this particular campaign. The group is also known for distributing the information-stealing Grandoreiro banking trojan, a sophisticated malware targeting financial operations. Recently, FLUXROOT’s tactics have changed, and it now uses other legitimate cloud services to distribute the malware, including Microsoft Azure and Dropbox. Thus, their tactics have been successful, and cloud services have become another way for the group to conduct their “business.”
But FLUXROOT isn’t the only threat actor exploiting Google’s cloud infrastructure. Another adversary, identified as PINEAPPLE, has been observed using Google Cloud to propagate a different strain of malware known as Astaroth (also called Guildma). This stealer malware primarily targets Brazilian users, highlighting the regional focus of some of these attacks.
PINEAPPLE’s methodology involved compromising existing Google Cloud instances and creating their projects. They used these resources to generate container URLs on legitimate Google Cloud serverless domains, such as cloudfunctions[.]net and run.
These URLs hosted landing pages that redirected unsuspecting targets to malicious infrastructure, resulting in the deployment of the Astaroth malware.
Furthermore, PINEAPPLE demonstrated high-level evasion techniques. For instance, they used mail forwarding services that do not drop messages with a failing Sender Policy Framework (SPF). They also incorporated unexpected data in the original code and typically in the SMTP Return-Path field, which would trigger time-outs in DNS requests. The addition of this data would also hinder email authentication tests by failing SPF checks. These advanced techniques indicate the rate at which cyber capabilities increase.
In response to these threats, Google has taken decisive action. The tech giant has shut down the identified malicious Google Cloud projects and updated its Safe Browsing lists to protect users. However, the incident highlights the ongoing cat-and-mouse game between cybersecurity defenders and threat actors in the cloud space.
Cybercriminals’ weaponization of cloud services and infrastructure is not limited to phishing and malware distribution. Other malicious activities, such as illicit cryptocurrency mining exploiting weak configurations and ransomware attacks, have also seen a surge in cloud environments.
One of this shift’s most significant challenges is the increased difficulty in detecting malicious activities. By leveraging legitimate cloud services, threat actors can more easily blend their operations into regular network traffic, making it harder for security teams to distinguish between legitimate and malicious activities.
Whatever the case, with the current pace of cloud adoption—regardless of whether the vector is uncontrolled—it is evident that cloud providers and their consumers should remain on guard. Regular security audits, solid means of authentication, and cutting-edge threat detection systems are rapidly becoming prerequisites for any secure cloud environment. The attacks of tomorrow will never be the same as the attacks of yesterday, and neither should our tools against them.