July 22, 2024 at 08:55AM
FLUXROOT, a financially motivated threat actor, abused Google Cloud serverless projects to conduct phishing attacks, targeting Latin America. This highlights the trend of threat actors exploiting cloud computing for malicious purposes. Google has taken measures to mitigate such activities, emphasizing the challenges in detecting and countering threats facilitated by cloud services.
Based on the meeting notes, the main points are:
1. FLUXROOT, a Latin America-based malicious actor is using Google Cloud serverless projects for credential phishing activity.
2. Google’s biannual Threat Horizons Report shared that serverless computing services in all cloud providers are attractive to threat actors for delivering malware, hosting and directing users to phishing pages, and running malicious scripts.
3. The campaign involved the use of Google Cloud container URLs to host phishing pages aimed at harvesting login information associated with Mercado Pago, an online payments platform in the LATAM region.
4. FLUXROOT is known for distributing the Grandoreiro banking trojan and also takes advantage of cloud services like Microsoft Azure and Dropbox to distribute malware.
5. Another threat actor named PINEAPPLE used compromised Google Cloud instances and projects they created themselves to create container URLs on legitimate Google Cloud serverless domains to drop the Astaroth (aka Guildma) stealer malware.
6. Both threat actors attempted to bypass email gateway protections.
7. Google took steps to mitigate the activities by removing the malicious Google Cloud projects and updating its Safe Browsing lists.
8. The weaponization of cloud services and infrastructure by threat actors, from illicit cryptocurrency mining to ransomware, has been on the rise due to increased cloud adoption across industries.
Let me know if you need further details on any specific information from the meeting notes.