CyberSecurity news
FlagThis
Aman Mishra@gbhackers.com - 5d
A cyber threat group known as JavaGhost has been exploiting misconfigured Amazon Web Services (AWS) Identity and Access Management (IAM) permissions to conduct sophisticated phishing campaigns. Palo Alto Networks Unit 42 is tracking this group, known as TGR-UNK-0011, which overlaps with JavaGhost. Since 2022, JavaGhost pivoted from website defacement to cloud-based phishing attacks, targeting unsuspecting targets for financial gain.
The group exploits leaked long-term AWS access keys to gain initial access, then misuses AWS services like Simple Email Service (SES) and WorkMail to send phishing emails, bypassing typical email protections. They create new SMTP credentials and IAM users, some for active attacks and others for long-term persistence, even leaving the same calling card in the middle of their activities.
JavaGhost's tactics include generating temporary credentials and utilizing advanced evasion techniques to obfuscate their identities in CloudTrail logs, a tactic historically used by Scattered Spider. The attackers create IAM roles with trust policies, allowing access from attacker-controlled AWS accounts, and attempt to enable all AWS regions to potentially evade security controls. These activities leave detectable events in CloudTrail logs, providing opportunities for threat detection and response for vigilant organizations.
ImgSrc: blogger.googleu
References :
The group exploits leaked long-term AWS access keys to gain initial access, then misuses AWS services like Simple Email Service (SES) and WorkMail to send phishing emails, bypassing typical email protections. They create new SMTP credentials and IAM users, some for active attacks and others for long-term persistence, even leaving the same calling card in the middle of their activities.
JavaGhost's tactics include generating temporary credentials and utilizing advanced evasion techniques to obfuscate their identities in CloudTrail logs, a tactic historically used by Scattered Spider. The attackers create IAM roles with trust policies, allowing access from attacker-controlled AWS accounts, and attempt to enable all AWS regions to potentially evade security controls. These activities leave detectable events in CloudTrail logs, providing opportunities for threat detection and response for vigilant organizations.
ImgSrc: blogger.googleu
Share:
References :
- The Hacker News: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail
- gbhackers.com: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
- Talkback Resources: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
- Talkback Resources: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail [cloud]
- Cyber Security News: JavaGhost Exploits Amazon IAM Permissions for Phishing Attacks
Classification:
- HashTags: #AWS #Phishing #CloudSecurity
- Company: Palo Alto Networks
- Target: AWS Users
- Attacker: JavaGhost
- Product: AWS
- Feature: IAM permissions
- Type: Phishing
- Severity: Medium