AWS misconfigurations reportedly used to launch phishing attacks

News
By
published

Hackers are abusing AWS instances to bypass email security

Illustration of a hooked email hovering over a mobile phone
(Image credit: Getty Images)
  • Threat actors seen abusing AWS misconfigurations to gain access to the instances
  • They would use the instances to create new SES and WorkMail services
  • The emails would bypass email security, while keeping the attackers hidden

Misconfigured Amazon Web Services (AWS) environments are being abused to run phishing campaigns that can bypass email filters and land right into people’s inboxes, experts have claimed.

Cybersecurity researchers from Palo Alto Networks’ Unit 42 recently spotted a group tracked as TGR-UNK-0011 engaging in this type of attack.

The group, which Unit 42 says significantly overlaps with a separate group called JavaGhost, has been active since 2019. However, the group was initially focused on defacing websites, and only pivoted to phishing in 2022, when they started seeking out financial gain.

JavaGhost

The attacks start with the group obtaining people’s AWS access keys. This gives them access to Amazon Simple Email Service (SES) and WorkMail services.

"JavaGhost obtained exposed long-term access keys associated with identity and access management (IAM) users that allowed them to gain initial access to an AWS environment via the command-line interface (CLI)," the researchers said. "Between 2022-24, the group evolved their tactics to more advanced defense evasion techniques that attempt to obfuscate identities in the CloudTrail logs. This tactic has historically been exploited by Scattered Spider."

After confirming the access, the attackers would create a temporary account and access the console. Then, they would use SES and WorkMail to set up their phishing infrastructure, and would set up SMTP credentials to send the phishing emails.

"Throughout the time frame of the attacks, JavaGhost creates various IAM users, some they use during their attacks and others that they never use," the researchers explained. "The unused IAM users seem to serve as long-term persistence mechanisms."

Since the emails would be coming from a known, and legitimate entity, they would bypass email protections and reach their target’s inboxes. They would also sound more credible, since the two parties most likely communicated in the past, as well.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Data leak
AWS customers hit by major cyberattack which then stored stolen credentials in plain sight
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Cloudflare developer domains increasingly abused by threat actors
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
AWS S3 feature abused by ransomware hackers to encrypt storage buckets
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
Latest in News
Apple iPad A16
Apple's new entry-level iPad ups the performance for the same price, but doesn't support Apple Intelligence
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 might improve on its predecessor in one crucial way
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
More about security
A pair of hands using a keyboard

Microsoft SharePoint hijacked to spread Havoc malware
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.

US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Yasuke rides out, looking over a vibrant forest. A castle can be seen in the background.

Assassin's Creed Shadows requirements for PC and Mac guide
See more latest