- Threat actors seen abusing AWS misconfigurations to gain access to the instances
- They would use the instances to create new SES and WorkMail services
- The emails would bypass email security, while keeping the attackers hidden
Misconfigured Amazon Web Services (AWS) environments are being abused to run phishing campaigns that can bypass email filters and land right into people’s inboxes, experts have claimed.
Cybersecurity researchers from Palo Alto Networks’ Unit 42 recently spotted a group tracked as TGR-UNK-0011 engaging in this type of attack.
The group, which Unit 42 says significantly overlaps with a separate group called JavaGhost, has been active since 2019. However, the group was initially focused on defacing websites, and only pivoted to phishing in 2022, when they started seeking out financial gain.
JavaGhost
The attacks start with the group obtaining people’s AWS access keys. This gives them access to Amazon Simple Email Service (SES) and WorkMail services.
“JavaGhost obtained exposed long-term access keys associated with identity and access management (IAM) users that allowed them to gain initial access to an AWS environment via the command-line interface (CLI),” the researchers said. “Between 2022-24, the group evolved their tactics to more advanced defense evasion techniques that attempt to obfuscate identities in the CloudTrail logs. This tactic has historically been exploited by Scattered Spider.”
After confirming the access, the attackers would create a temporary account and access the console. Then, they would use SES and WorkMail to set up their phishing infrastructure, and would set up SMTP credentials to send the phishing emails.
“Throughout the time frame of the attacks, JavaGhost creates various IAM users, some they use during their attacks and others that they never use,” the researchers explained. “The unused IAM users seem to serve as long-term persistence mechanisms.”
Since the emails would be coming from a known, and legitimate entity, they would bypass email protections and reach their target’s inboxes. They would also sound more credible, since the two parties most likely communicated in the past, as well.
Leave a comment