Ethical Hacking News
Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns via Amazon Simple Email Service (SES) and WorkMail, leveraging misconfigurations in victims' AWS accounts to gain unauthorized access. According to Palo Alto Networks Unit 42, the threat group JavaGhost has been active since 2019 and is known for its sophisticated tactics.
Threat actors are targeting Amazon Web Services (AWS) environments with phishing campaigns.The threat group, JavaGhost, has been active since 2019 and initially focused on defacing websites before pivoting to sending out phishing emails for financial gain.The attackers take advantage of misconfigurations in victims' AWS accounts to expose their access keys and gain initial access to the environment.The attackers use Amazon Simple Email Service (SES) and WorkMail services to send phishing messages that sidestep email protections.The attackers create new IAM roles with trust policies attached to access the organization's AWS account from another controlled account.The attackers leave a calling card by creating new EC2 security groups named Java_Ghost with a specific description.
Threat actors have long been exploiting vulnerabilities in cloud services to launch sophisticated cyber attacks on unsuspecting targets. The latest development in this cat-and-mouse game involves threat actors targeting Amazon Web Services (AWS) environments to push out phishing campaigns, leveraging the misconfigurations of victims' AWS accounts to gain unauthorized access to sensitive information.
According to findings from Palo Alto Networks Unit 42, a cybersecurity company that tracks and analyzes various threats, the activity cluster under the name TGR-UNK-0011 is responsible for pushing out these phishing campaigns. This threat group, also known as JavaGhost, has been active since 2019 and initially focused on defacing websites. However, in 2022, they pivoted to sending out phishing emails for financial gain.
The modus operandi of the threat actors involves taking advantage of misconfigurations in victims' environments that expose their AWS access keys. This allows them to send phishing messages by abusing Amazon Simple Email Service (SES) and WorkMail services, which enables the threat actor's phishing messages to sidestep email protections since they originate from a known entity from which the target organization has previously received emails.
"JavaGhost obtained exposed long-term access keys associated with identity and access management (IAM) users that allowed them to gain initial access to an AWS environment via the command-line interface (CLI)," explained Margaret Kelley, a security researcher at Palo Alto Networks Unit 42. "Between 2022-24, the group evolved their tactics to more advanced defense evasion techniques that attempt to obfuscate identities in the CloudTrail logs. This tactic has historically been exploited by Scattered Spider."
Once access to the organization's AWS account is confirmed, the attackers are known to generate temporary credentials and a login URL to allow console access. This grants them the ability to obfuscate their identity and gain visibility into the resources within the AWS account.
Subsequently, the group has been observed utilizing SES and WorkMail to establish the phishing infrastructure, creating new SES and WorkMail users, and setting up new SMTP credentials to send email messages. The threat actors also create a new IAM role with a trust policy attached, thereby permitting them to access the organization's AWS account from another AWS account under their control.
The group typically leaves a calling card in the middle of their attack by creating new Amazon Elastic Cloud Compute (EC2) security groups named Java_Ghost, with the group description 'We Are There But Not Visible.' These security groups do not contain any security rules and are typically made no attempt to attach these security groups to any resources. The creation of the security groups appears in the CloudTrail logs in the CreateSecurityGroup events.
"These security groups appear in the CloudTrail logs in the CreateSecurityGroup events," concluded Unit 42. "The group continues to leave the same calling card in the middle of their attack by creating new Amazon Elastic Cloud Compute (EC2) security groups named Java_Ghost, with the group description 'We Are There But Not Visible.'"
In conclusion, the threat actors' modus operandi involves taking advantage of misconfigurations in victims' AWS environments to launch phishing campaigns via SES and WorkMail. This approach enables them to sidestep email protections and gain unauthorized access to sensitive information.
Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns via Amazon Simple Email Service (SES) and WorkMail, leveraging misconfigurations in victims' AWS accounts to gain unauthorized access. According to Palo Alto Networks Unit 42, the threat group JavaGhost has been active since 2019 and is known for its sophisticated tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/Hacking-into-AWS-A-Threat-Actors-Paradise-ehn.shtml
https://thehackernews.com/2025/03/hackers-exploit-aws-misconfigurations.html
https://tech-wire.in/technology/cyber-security/hackers-exploit-aws-misconfigurations-to-launch-phishing-attacks-via-ses-and-workmail/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://attack.mitre.org/groups/G1015/
Published: Mon Mar 3 13:02:07 2025 by llama3.2 3B Q4_K_M
