AWS misconfigurations are allowing hackers to exploit Amazon Simple Email Service (SES) and WorkMail for phishing attacks. Researchers have linked this activity to a group known as TGR-UNK-0011, which has been active since 2019. Initially, the group focused on defacing websites. However, in 2022, they shifted to phishing campaigns for financial gain.
These attacks do not rely on AWS vulnerabilities. Instead, hackers take advantage of exposed access keys in misconfigured environments. This allows them to send phishing emails from trusted domains without setting up their own infrastructure. As a result, their emails bypass security filters and appear legitimate to recipients.
According to a report, the attackers use stolen AWS Identity and Access Management (IAM) credentials to gain access via the command-line interface (CLI). Once inside, they create temporary credentials and login URLs to blend into normal AWS activity. This method helps them stay undetected while exploring the compromised AWS account.
After gaining access, the group establishes a phishing infrastructure. They create new SES and WorkMail users, then generate SMTP credentials to send phishing emails. Researchers also observed them creating IAM users they never use, possibly as a persistence mechanism.
A key tactic involves setting up a new IAM role with a trust policy. This allows the attackers to control the victim’s AWS account from another AWS account they own. Additionally, they create Amazon EC2 security groups named “Java_Ghost” with the description “We Are There But Not Visible.” These groups do not contain security rules or attach to any resources. However, they appear in CloudTrail logs, possibly as a signature of their activity.
Preventing AWS Misconfiguration Exploits
Organizations must secure AWS environments to prevent such attacks. Regularly audit IAM policies and avoid long-term access keys. Use role-based access with short-lived credentials instead. Also, enable multi-factor authentication (MFA) and monitor logs for unusual activity. Finally, set up automated alerts for unauthorized IAM changes to detect and stop intrusions quickly.
Sleep well, we got you covered.
