According to recent findings by Palo Alto Networks Unit 42, threat actors are targeting Amazon Web Services (AWS) environments to launch phishing campaigns against unsuspecting targets.
The cybersecurity company refers to this activity cluster as TGR-UNK-0011, which overlaps with the JavaGhost group and has been active since 2019. Initially, this group focused on defacing websites but shifted its focus to sending phishing emails for financial gain in 2022, as stated by security researcher Margaret Kelley.
The attackers take advantage of misconfigurations in victims’ AWS environments, exposing their access keys to send phishing messages via Amazon Simple Email Service (SES) and WorkMail services. This approach allows them to avoid hosting or paying for their own infrastructure and makes it more challenging for email protections to detect their malicious activity.
By exploiting these misconfigurations, the threat actors can generate temporary credentials and a login URL to access the organization’s AWS account, allowing them to obfuscate their identity and gain visibility into the resources within the account.
The attackers use Amazon Simple Email Service (SES) and WorkMail to establish phishing infrastructure, create new users, and set up SMTP credentials to send malicious emails.
Between 2022 and 2024, the group refined their tactics to employ more advanced defense evasion techniques, making it difficult to identify their identities in CloudTrail logs. This tactic has been used by other threat actors, such as Scattered Spider.
Once the attackers gain access to the organization’s AWS account, they create temporary credentials and a login URL, allowing them to access the account without being detected.
The attackers also create multiple IAM users, some of which are used during the attacks, while others serve as long-term persistence mechanisms. Notably, they create a new IAM role with a trust policy attached, enabling them to access the organization’s AWS account from another AWS account under their control.
The threat actors leave a “calling card” by creating a new Amazon Elastic Cloud Compute (EC2) security group named Java_Ghost, which does not contain any security rules and is not attached to any resources.
