According to findings from Palo Alto Networks Unit 42, threat actors are attempting to push out phishing campaigns to unsuspecting targets in Amazon Web Services ( ) environments.
The cybersecurity firm claims to be tracking the activity grouping under the name TGR-UNK-0011, which refers to a threat group with mysterious motivation, and overlaps with a JavaGhost group. TGR-UNK-0011 is known to become engaged since 2019.
Safety scientist Margaret Kelley ,” The group focused generally on defacing websites. They “pivoted to sending out phishing emails for fiscal gain” in 2022.
It’s important to point out that these problems don’t take advantage of any AWS risk. Instead of relying on Amazon Simple Email Service ( SES ) and WorkMail services, threat actors exploit vulnerabilities in victims ‘ environments to send phishing messages.
The modus operandi does so because it eliminates the need for host organizations to network or compensate for their own infrastructure to carry out the destructive activity.
Additionally, it makes it possible for the danger actor’s phishing messages to bypass email protections because the online missives are from a well-known source that the target organization has recently received emails.
According to Kelley,” JavaGhost obtained exposed long-term access keys associated with identity and access management ( IAM ) users that made it possible for them to gain initial access to an AWS environment via the command-line interface ( CLI)”.
The team “added more sophisticated security evasion techniques” to the , which attempt to obscure identities, between 2022 and 2024. Scattered Spider has previously used this strategy.
When AWS exposure is confirmed, the attackers are known to create and a password URL to help console access. They are able to conceal their identities and get access to the resources within the AWS bill thanks to Unit 42’s comment.
In the future, the team has been spotted using SES and WorkMail to create new SES and WorkMail users and create new SMTP certificates to send emails.
” JavaGhost creates numerous IAM users throughout the course of the attacks, some of whom they use during their problems and others who they never use,” Kelley said. The IAM users that are not used appear to offer as long-term resilience mechanisms.
Another interesting feature of the danger actor’s routine is the development of a new IAM part with a confidence policy attached, which will allow them to get the organization’s AWS account from another AWS account in their power.
The team continues to use the same calling cards in the middle of their assault by creating new Java_Ghost security groups under the name” We Are There But Not Noticeable,” Unit 42 said.
These safety organizations do not have any security regulations, and the group usually makes no effort to link these security organizations to any resources. In the CreateSecurityGroup events, the surveillance teams created are recorded in the CloudTrail files.