- Threat actors saw the abusing of AWS’s erroneous configurations to obtain access to the instances
- They would use the instances to create new SES and Workmail services
- The emails would overlook the security of email, while keeping the attackers hidden
Amazon Web Services (AWS) environments (AWS) are being abused by executing phishing campaigns that email filters can avoid directly in people’s entry trays, they have affirmed.
Cybersecurity researchers of Unit 42 of Palo Alto Networks saw a group tracked as TGR-FECH-0011 that participated in this type of attack.
The group, which according to Unit 42 is significantly overlap with a separate group called Javaghost, has been active since 2019. However, the group initially focused on disfiguring websites and only pivot the phishing in 2022, when they began to look for financial profits.
Javaghost
The attacks begin with the group obtaining people’s AWS access keys. This gives them access to the Amazon Simple Email Service and Workmail services.
“Javaghost obtained long -term access keys exposed associated with identity and access management users (IAM) that allowed them to obtain initial access to an AWS environment through the command line interface (CLI),” the researchers said. “Between 2022-24, the group developed its tactics to more advanced defense evasion techniques trying to obfusca identities in cloudtrail records. This tactic has been historically exploited by a scattered spider.”
After confirming the access, the attackers would create a temporary account and access the console. Then they would use SES and Workmail to configure their Phishing infrastructure, and configure SMTP credentials to send phishing emails.
“Throughout the attack period, Javaghost creates several IAM users, some who use during their attacks and others that they never use,” explained the researchers. “IAM unused users seem to serve as long -term persistence mechanisms.”
Since the emails would come from a known and legitimate entity, they would avoid email protections and reach the entrance trays of their target. They would also sound more credible, since the two parts were probably also communicated in the past.
