Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, according to findings from Palo Alto Networks Unit 42.
The cybersecurity company is tracking the activity cluster under the name TGR-UNK-0011 (short for a threat group with unknown motivation), which it said overlaps with a group known as JavaGhost. TGR-UNK-0011 is known to be active since 2019.
“The group focused historically on defacing websites,” security researcher Margaret Kelley said. “In 2022, they pivoted to sending out phishing emails for financial gain.”
It’s worth noting that these attacks do not exploit any vulnerability in AWS. Rather, the threat actors take advantage of misconfigurations in victims’ environments that expose their AWS access keys in order to send phishing messages by abusing Amazon Simple Email Service (SES) and WorkMail services.
In doing so, the modus operandi offers the benefit of not having to host or pay for their own infrastructure to carry out the malicious activity.
What’s more, it enables the threat actor’s phishing messages to sidestep email protections since the digital missives originate from a known entity from which the target organization has previously received emails.
“JavaGhost obtained exposed long-term access keys associated with identity and access management (IAM) users that allowed them to gain initial access to an AWS environment via the command-line interface (CLI),” Kelley explained.
“Between 2022-24, the group evolved their tactics to more advanced defense evasion techniques that attempt to obfuscate identities in the CloudTrail logs. This tactic has historically been exploited by Scattered Spider.”
Once access to the organization’s AWS account is confirmed, the attackers are known to generate temporary credentials and a login URL to allow console access. This, Unit 42 noted, grants them the ability to obfuscate their identity and gain visibility into the resources within the AWS account.
Subsequently, the group has been observed utilizing SES and WorkMail to establish the phishing infrastructure, creating new SES and WorkMail users, and setting up new SMTP credentials to send email messages.
“Throughout the time frame of the attacks, JavaGhost creates various IAM users, some they use during their attacks and others that they never use,” Kelley said. “The unused IAM users seem to serve as long-term persistence mechanisms.”
Another notable aspect of the threat actor’s modus operandi concerns the creation of a new IAM role with a trust policy attached, thereby permitting them to access the organization’s AWS account from another AWS account under their control.
“The group continues to leave the same calling card in the middle of their attack by creating new Amazon Elastic Cloud Compute (EC2) security groups named Java_Ghost, with the group description ‘We Are There But Not Visible,'” Unit 42 concluded.
“These security groups do not contain any security rules and the group typically makes no attempt to attach these security groups to any resources. The creation of the security groups appear in the CloudTrail logs in the CreateSecurityGroup events.”
