According to research from Palo Alto Networks Unit 42, threat actors targeting Amazon Web Services (AWS) environments push phishing campaigns to unsuspecting targets.
Cybersecurity companies track activity clusters under the name TGR-UNK-0011 (short for threat groups with unknown motivation). It says it overlaps with the group known as Javaghost. TGR-UNK-0011 is known to be active since 2019.
“The group has historically focused on website taints,” said security researcher Margaret Kelly. “In 2022, they pivoted to send phishing emails for financial gain.”
It is worth noting that these attacks do not exploit the vulnerabilities of AWS. Rather, threat actors are using misconceptions in victim environments that expose AWS access keys to send phishing messages by abusing Amazon Simple Email Service (SES) and WorkMail services.
In doing so, Modus Operandi offers the advantage that you don’t have to host or pay for your own infrastructure to perform malicious activities.
Additionally, digital mischief arises from known entities that target organizations received emails previously, allowing threat actor phishing messages to circumvent email protection.
“Javaghost has obtained an exposed long-term access key related to identity and access management (IAM) users who can gain initial access to the AWS environment via the command line interface (CLI),” Kelly explained.
“From 2022-24, the group evolved their tactics into more advanced defence evasion techniques that attempt to confuse their identity with cloud trail logs, which have been exploited by historically scattered spiders.”
Once access to an organization’s AWS account is confirmed, attackers are known to generate temporary credentials and login URLs to allow console access. This unit 42 states that it gives them the ability to obfuscate their identity and visualize resources within their AWS accounts.
The group was then observed to utilize SES and WorkMail to establish phishing infrastructure, create new SES and WorkMail users, set new SMTP credentials and send email messages.
“Through the attack time frame, Javaghost creates a variety of IAM users, some of which are not used during the attack,” Kelly said. “Unused IAM users seem to act as a long-term sustaining mechanism.”
Another notable aspect of the threat actor modus operandi concerns the creation of a new IAM role with a trust policy attached, allowing them to access your organization’s AWS account from another AWS account under their control.
“The group continues to leave the same calling card in the middle of the attack by creating a new Amazon Elastic Cloud Compute (EC2) security group named java_ghost.
“These security groups do not contain security rules, and groups typically do not attempt to attach these security groups to resources. Creating security groups appears in the CloudTrail log for the CreateSeCurityGroup event.”
Source link
