Short Summary:
Recently, an employee received a phishing email attempting to steal AWS login credentials. The email contained a link that redirected to a credential harvesting page mimicking the legitimate AWS sign-in page. While the employee recognized the phishing attempt, the investigation revealed several indicators of compromise and emphasized the importance of AWS security measures.
Key Points:
- An employee received a phishing email targeting AWS credentials.
- The email contained a link that redirected to a credential harvesting page.
- The phishing domain was associated with known malware distribution.
- The phishing page was a visual clone of the legitimate AWS sign-in page.
- The investigation revealed multiple suspicious domains related to AWS phishing.
- Organizations should implement strong security measures to protect against phishing.
- Recommendations include disabling root logins, using MFA, and enabling cloud logging.
MITRE ATT&CK TTPs – created by AI
- Phishing (T1566)
- Threat actors send emails with links to credential harvesting pages.
- Credential Dumping (T1003)
- Phishing attempts aim to collect user credentials for unauthorized access.
- Domain Generation Algorithms (T1483)
- Use of various domains to evade detection and facilitate phishing attacks.
Earlier this week, one of our employees received a phishing email to their personal inbox that attempted to lure them into providing their AWS login credentials. While the employee immediately recognized this as a phishing email, and we do not believe this was a targeted attack or a case of spearphishing, we began an investigation due to our interest in cloud-related cyber activity.
We were ultimately unable to identify the goals of the attacker in this case (for reasons that will be explained shortly), but we wanted to make available the relevant details and indicators so that others could check if they were affected. Additionally, we decided to take this opportunity to discuss how AWS customers can defend themselves against similar phishing attempts.
The phishing email simply contained a PNG image that when clicked would take the victim to https://giraffe-viola-p262.squarespace[.]com/ and then through a series of redirects to a PDF viewer. The sender’s email address was admin@alchemistdigital[.]ae, and the domain is listed in open-source threat intelligence as known for distributing malware. The email message itself was sent via Amazon SES, meaning that the threat actor was using an AWS account for this purpose (one we can assume to be owned by them or compromised by them).
The PDF file was hosted on a file sharing site (e.pcloud.link) with a built-in PDF viewer. The ”Invoice Summary” link in the PDF would lead the user through a chain of redirections, starting with a link to https://cli[.]re/j9PQ88, which uses a common link shortener service, leading to https://console.aws.consoleportal[.]tech/IgXlrDYW, an attacker-controlled domain, before reaching the final credential harvesting page (https://signin.aws.consoleportal[.]tech/signin). As of today, Google Chrome browser detects this as a phishing page, but this should not be relied on as a sole security measure, especially if other browsers are being used.
The credential harvesting page that we were ultimately directed to was a visual clone of the current AWS sign-in page, and the page’s URL was also designed to mimic the legitimate AWS login page:
https://signin.aws.consoleportal[.]tech/signin?redirect_uri=...
Compare this to the genuine login page:
https://signin.aws.amazon.com/signin?redirect_uri=...
This page loads a JavaScript script hosted at https://d35uxhjf90umnp.cloudfront[.]net/index.js, which might be attacker-owned, or perhaps associated with the same AWS subscription that the threat actor is using for SES – we have yet to confirm this possibility.
We attempted to feed credentials to the phishing page associated with a honeypot environment we set up, but interestingly the page would throw a 400 error unless we entered the email address of the originally intended victim. While discussing the idea of setting up the employee’s personal AWS account as a honeypot, the login infrastructure of the attacker had already been taken down, so we were unable to fully investigate the intent of the attacker.
It’s unknown to us what caused the phishing page to be taken down when it did, but the original email had already been promptly sent to stop-spoofing@amazon.com as an early step of our investigation, and Chrome was already blocking the page (as mentioned above), so it’s possible AWS or Google had been involved in the take-down.
Phishing emails are a very common occurrence, and while our colleague didn’t click through this time, it’s never an employee’s fault if they do take the bait and the organization is compromised as a result– organizations must be secure enough so that one employee’s honest mistake doesn’t have disastrous results. So how can AWS customers protect themselves from this scenario?
Secure Configuration
For starters, AWS account root logins should be disabled via an SCP, as we’ve described in our guidance Using Service Control Policies to protect security baselines. AWS Organization Management accounts will still allow root logins, so you should ensure you have phishing-proof MFA for those accounts, meaning you should use FIDO security keys as opposed to solutions that involve entering a code which an attacker could replay.
User authentication should be done through SSO solutions instead of IAM users or root logins to access cloud environments. This will help you more easily enforce additional authentication requirements, along with other user management benefits.
Least privileges strategies should be used to not only minimize the risk if a user is compromised, but access should also be limited to critical accounts to a minimal set of employees, such as the root user of an AWS Organization Management account.
Cloud Logging
Cloud logging services such as Amazon CloudTrail should always be enabled. They are an essential tool for assessing the impact of compromised credentials within cloud environments. They allow security teams to identify affected resources, understand the scope of the breach and implement effective remediation strategies to bolster their security posture and prevent future breaches.
The phishing domain (consoleportal[.]tech) currently resolves to CloudFlare, but by using Validin’s historic DNS search, we were able to pivot on the domain to find 2 unique IP addresses to which it previously resolved (as of 2024-08-02):
We then searched for other domains that resolved to those same IP addresses and thereby identified 3 additional domains that also appear to be utilized for AWS phishing based on their sub-domain format, such as signin.aws.{domain}, portal.aws.{domain}, console.aws.{domain}, etc.:
-
officequalcomm[.]com -
webportal[.]tech -
docshare[.]tech
These IP addresses resolve dozens of additional domains that appear suspicious, but we have yet to confirm that they are malicious.
Additionally, using Validin’s lookalikes search feature, we were able to identify several domains mimicking amazon’s login page. While these domains are not necessarily operated by the same threat actor, we do believe they are likely to be utilized in phishing campaigns, and the subdomain format appears to be a strong indicator of malicious intent:
signin.aws.aathenahealth[.]com
signin.aws.amaonz[.]com
signin.aws.amzan[.]com
signin.aws.athenahelath[.]com
signin.aws.bashaws[.]com
signin.aws.clouddocuments[.]app
signin.aws.dev-login[.]com
signin.aws.factorydirectwork[.]com
signin.aws.hashcrp[.]in
signin.aws.kintsuma[.]com
signin.aws.lustforkangaroos[.]top
signin.aws.mantrapays[.]com
signin.aws.offlce[.]in
signin.aws.onlinelogin-link[.]com
signin.aws.onmicrosofte[.]com
signin.aws.portalunos[.]org
signin.aws.registeringencrypted[.]com
signin.aws.safelinks-protection[.]com
signin.aws.sharedpoint[.]online
signin.aws.spaceigniter[.]com
signin.aws.thernloven[.]com
signin.aws.wordir[.]org Source: https://www.wiz.io/blog/emerging-phishing-campaign-targeting-aws-accounts