Summary: Threat actors, identified as TGR-UNK-0011 and related to the JavaGhost group, are exploiting misconfigurations in Amazon Web Services (AWS) environments to conduct phishing campaigns. They have evolved their tactics since 2019, focusing on gaining unauthorized access through exposed AWS access keys and leveraging services like Amazon SES and WorkMail. This allows them to bypass email protections and maintain long-term persistence in compromised AWS accounts.
Affected: Amazon Web Services (AWS)
Keypoints :
- Threat group TGR-UNK-0011, associated with JavaGhost, has pivoted from website defacement to phishing for financial gain since 2022.
- Attacks exploit misconfigured AWS environments, utilizing Amazon SES and WorkMail without hosting their own infrastructure.
- The group employs advanced techniques to obfuscate identities in AWS CloudTrail logs and create long-term persistence with various IAM users.
- Noteworthy tactic includes creating EC2 security groups named βJava_Ghostβ with distinctive descriptions, but without attaching them to resources.
Source: https://thehackernews.com/2025/03/hackers-exploit-aws-misconfigurations.html