Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

New .NET CAPI backdoor targets Russian car and e-commerce companies via phishing ZIPs

Silver Fox spreads Winos 4.0 attack to Japan and Malaysia via HoldingHands RAT

Senate Republicans deepfaked Chuck Schumer, but X isn’t taking it down

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Hackers exploit the wrong mining on AWS to launch phishing attacks via SES and Workmail
Identity

Hackers exploit the wrong mining on AWS to launch phishing attacks via SES and Workmail

userBy userMarch 3, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 3, 2025Ravi LakshmananCloud Security/Email Security

Hackers exploit the wrong mining on AWS

According to research from Palo Alto Networks Unit 42, threat actors targeting Amazon Web Services (AWS) environments push phishing campaigns to unsuspecting targets.

Cybersecurity companies track activity clusters under the name TGR-UNK-0011 (short for threat groups with unknown motivation). It says it overlaps with the group known as Javaghost. TGR-UNK-0011 is known to be active since 2019.

“The group has historically focused on website taints,” said security researcher Margaret Kelly. “In 2022, they pivoted to send phishing emails for financial gain.”

Cybersecurity

It is worth noting that these attacks do not exploit the vulnerabilities of AWS. Rather, threat actors are using misconceptions in victim environments that expose AWS access keys to send phishing messages by abusing Amazon Simple Email Service (SES) and WorkMail services.

In doing so, Modus Operandi offers the advantage that you don’t have to host or pay for your own infrastructure to perform malicious activities.

Additionally, digital mischief arises from known entities that target organizations received emails previously, allowing threat actor phishing messages to circumvent email protection.

“Javaghost has obtained an exposed long-term access key related to identity and access management (IAM) users who can gain initial access to the AWS environment via the command line interface (CLI),” Kelly explained.

Hackers exploit the wrong mining on AWS

“From 2022-24, the group evolved their tactics into more advanced defence evasion techniques that attempt to confuse their identity with cloud trail logs, which have been exploited by historically scattered spiders.”

Once access to an organization’s AWS account is confirmed, attackers are known to generate temporary credentials and login URLs to allow console access. This unit 42 states that it gives them the ability to obfuscate their identity and visualize resources within their AWS accounts.

The group was then observed to utilize SES and WorkMail to establish phishing infrastructure, create new SES and WorkMail users, set new SMTP credentials and send email messages.

Cybersecurity

“Through the attack time frame, Javaghost creates a variety of IAM users, some of which are not used during the attack,” Kelly said. “Unused IAM users seem to act as a long-term sustaining mechanism.”

Another notable aspect of the threat actor modus operandi concerns the creation of a new IAM role with a trust policy attached, allowing them to access your organization’s AWS account from another AWS account under their control.

“The group continues to leave the same calling card in the middle of the attack by creating a new Amazon Elastic Cloud Compute (EC2) security group named java_ghost.

“These security groups do not contain security rules, and groups typically do not attempt to attach these security groups to resources. Creating security groups appears in the CloudTrail log for the CreateSeCurityGroup event.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleTrump says 25% tariffs in Canada and Mexico begin on Tuesday | Donald Trump News
Next Article Israeli rage over delays in ceasefire focused on prisoners rather than Gaza’s aid crisis | Israeli-Palestinian conflict news
user
  • Website

Related Posts

New .NET CAPI backdoor targets Russian car and e-commerce companies via phishing ZIPs

October 18, 2025

Silver Fox spreads Winos 4.0 attack to Japan and Malaysia via HoldingHands RAT

October 18, 2025

Immortality is No Longer Science Fiction: TwinH’s AI Breakthrough Could Change Everything

October 17, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

New .NET CAPI backdoor targets Russian car and e-commerce companies via phishing ZIPs

Silver Fox spreads Winos 4.0 attack to Japan and Malaysia via HoldingHands RAT

Senate Republicans deepfaked Chuck Schumer, but X isn’t taking it down

AI tools run on fracked gas and bulldozed land in Texas

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Immortality is No Longer Science Fiction: TwinH’s AI Breakthrough Could Change Everything

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

Revolutionize Your Workflow: TwinH Automates Tasks Without Your Presence

FySelf’s TwinH Unlocks 6 Vertical Ecosystems: Your Smart Digital Double for Every Aspect of Life

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.