CyberSecurity news

FlagThis - #Amazon

Aman Mishra@gbhackers.com // 35d

JavaGhost Exploits AWS Permissions for Phishing Campaigns - JavaGhost exploits misconfigured Amazon Web Services (AWS) environments for phishing campaigns, using victims' SES and WorkMail to bypass email protections and evade detection.
A cyber threat group known as JavaGhost has been exploiting misconfigured Amazon Web Services (AWS) Identity and Access Management (IAM) permissions to conduct sophisticated phishing campaigns. Palo Alto Networks Unit 42 is tracking this group, known as TGR-UNK-0011, which overlaps with JavaGhost. Since 2022, JavaGhost pivoted from website defacement to cloud-based phishing attacks, targeting unsuspecting targets for financial gain.

The group exploits leaked long-term AWS access keys to gain initial access, then misuses AWS services like Simple Email Service (SES) and WorkMail to send phishing emails, bypassing typical email protections. They create new SMTP credentials and IAM users, some for active attacks and others for long-term persistence, even leaving the same calling card in the middle of their activities.

JavaGhost's tactics include generating temporary credentials and utilizing advanced evasion techniques to obfuscate their identities in CloudTrail logs, a tactic historically used by Scattered Spider. The attackers create IAM roles with trust policies, allowing access from attacker-controlled AWS accounts, and attempt to enable all AWS regions to potentially evade security controls. These activities leave detectable events in CloudTrail logs, providing opportunities for threat detection and response for vigilant organizations.

Recommended read:
References :
  • The Hacker News: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail
  • gbhackers.com: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
  • Talkback Resources: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
  • Talkback Resources: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail [cloud]
  • Cyber Security News: JavaGhost Exploits Amazon IAM Permissions for Phishing Attacks
@csoonline.com // 51d

whoAMI Attack Exploits AWS AMI Name Confusion - A new "whoAMI" attack exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts, allowing attackers to publish a malicious AMI with a matching name and gain access.
Cybersecurity researchers have uncovered a new "whoAMI" attack that exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts. The attack allows anyone publishing an AMI with a specific, crafted name to potentially gain access and execute malicious code. The vulnerability stems from misconfigured software that can be tricked into using a malicious AMI instead of a legitimate one when creating Elastic Compute Cloud (EC2) instances.

Researchers found that the attack vector requires specific conditions to be met when retrieving AMI IDs through the API, including the use of the name filter and a failure to specify the owner. An attacker can create a malicious AMI with a matching name, leading to the creation of an EC2 instance using the attacker's doppelgänger AMI. Amazon addressed the issue following a responsible disclosure in September 2024, introducing new security controls and HashiCorp Terraform implemented warnings to prevent misuse of the API.

Recommended read:
References :
  • Talkback Resources: Cybersecurity researchers disclosed the whoAMI attack, enabling attackers to execute code within AWS accounts by tricking misconfigured software into using a malicious AMI with a specific name, prompting AWS to introduce new security controls and HashiCorp Terraform to implement warnings.
  • The Hacker News: New “whoAMIâ€� Attack Exploits AWS AMI Name Confusion for Remote Code Execution
  • www.bleepingcomputer.com: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
  • www.csoonline.com: whoAMI name confusion attacks can expose AWS accounts to malicious code execution
  • BleepingComputer: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
  • aws.amazon.com: AWS blog post on the fix.
  • securitylabs.datadoghq.com: Datadog Security Labs report detailing the whoAMI attack.
  • securityaffairs.com: whoAMI attack could allow remote code execution within AWS account
  • Security Affairs: whoAMI attack could allow remote code execution within AWS account
@therecord.media // 60d

Threat to Software Supply Chain via Abandoned AWS S3 Buckets - Abandoned AWS S3 buckets pose security risks due to potential re-registration, allowing malicious actors to inject code into software update mechanisms.
Researchers at WatchTowr Labs have uncovered a significant security vulnerability related to abandoned Amazon Web Services (AWS) S3 buckets. These buckets, previously used by various software projects, governments, Fortune 500 companies, and even cybersecurity firms, are now posing a serious threat to the global software supply chain. The study revealed that approximately 150 S3 buckets, after being abandoned, could be re-registered with the same AWS account name. This would allow malicious actors to inject malicious code into software update mechanisms or deployment code, potentially compromising systems and sensitive networks.

WatchTowr researchers, through their analysis, demonstrated the potential for attackers to exploit these abandoned S3 buckets. They found that these buckets were still receiving millions of HTTP requests, including requests for software updates, making them prime targets for supply chain attacks. CEO Benjamin Harris emphasized the inherent issue with the world's approach to infrastructure abandonment and how easy it is to insert malicious code. To mitigate this, AWS has blocked the specific buckets identified by WatchTowr from being re-created and noted having unveiled a bucket ownership condition functionality curbing inadvertent bucket name reuse.

Recommended read:
References :
  • labs.watchtowr.com: Researchers at WatchTowr Labs have uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could enable attackers to hijack the global software supply chain.
  • therecord.media: Researchers warned of malicious actors taking over abandoned AWS S3 buckets.
  • www.scworld.com: Extensive software supply chain compromise possible with deserted AWS S3 buckets.
@www.bleepingcomputer.com // 84d

Ransomware Abuses AWS Encryption Features - A new ransomware campaign, dubbed 'Codefinger', exploits Amazon Web Services' Server-Side Encryption to encrypt S3 buckets, demanding ransoms for decryption keys.
A new ransomware campaign is exploiting Amazon Web Services (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers, known as "Codefinger," utilize encryption keys unknown to the victims. The hackers demand ransoms in exchange for the decryption keys, effectively holding the data hostage. This attack leverages a legitimate AWS feature, making data recovery incredibly difficult without the attacker's keys. The Codefinger crew was first spotted in December, and at least two AWS native software developers were recently targeted.

The attackers gain access to victims’ cloud storage by using compromised AWS keys with read and write permissions and encrypt files by calling the "x-amz-server-side-encryption-customer-algorithm" header and using a locally stored AES-256 encryption key they generate. AWS processes the key during encryption but does not store it, meaning the victim cannot decrypt their data without the attacker-generated key. Furthermore, the encrypted files are marked for deletion within seven days using the S3 Object Lifecycle Management API, adding pressure on the victims. This tactic represents a significant risk, as it’s the first known instance of ransomware using AWS's native secure encryption infrastructure via SSE-C to lock up victims data.

Recommended read:
References :
  • bsky.app: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • BleepingComputer: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • www.bleepingcomputer.com: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • The Register - Security: Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
  • AAKL: Seems like cybercriminals are getting bolder. Halcyon: Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C More: New ransomware gang dubbed Codefinger abuses AWS native encryption, sets data-destruct timer for 7 days
  • www.halcyon.ai: Ransomware Encrypting S3 Buckets with SSE-C
  • www.theregister.com: ransomware_crew_abuses_compromised_aws
  • osint10x.com: New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets
  • securityaffairs.com: Codefinger ransomware gang uses compromised AWS keys to encrypt S3 bucket

Posts

Blogs

Research Tools