Misconfigured AWS Accounts Are Fueling Phishing Campaigns

Cybersecurity researchers have uncovered a campaign where threat actors exploit misconfigured Amazon Web Services (AWS) environments to send phishing emails.

The attackers, identified as TGR-UNK-0011, or JavaGhost, leverage exposed AWS credentials to gain access to cloud accounts and use legitimate services like Amazon Simple Email Service (SES) and WorkMail to distribute phishing messages.

How the attack works

The JavaGhost group, active since 2019, initially focused on website defacements before shifting to financially motivated phishing attacks in 2022. Their current tactics include:

• Gaining access to AWS accounts using identify and access management (IAM) keys.
• Using AWS CLI to generate temporary credentials and manipulate AWS services.
• Setting up SES and WorkMail accounts to send phishing emails that appear legitimate.
• Creating multiple IAM users, some of whom remain unused for potential future attacks.

By hijacking legitimate AWS resources, the attackers reduce operational costs and increase credibility, making their phishing emails more convincing.

JavaGhost’s distinctive footprint

According to researchers, one unique feature of JavaGhost’s activity is their “calling card” left in AWS environments. Security researchers have found:

• EC2 security groups named “Java_Ghost” with the description “We Are There But Not Visible.”
• Unused IAM users and security groups that are potentially responsible for long-term persistence.

These indicators are red flags for organizations looking to detect compromises in their AWS environments.

How organizations can avoid these attacks

To reduce the risk of AWS-based phishing attacks, companies can:

• Regularly rotate and securely store access keys to prevent unauthorized use.
• Enforce multifactor authentication to add an extra security layer.
• Apply the principle of least privilege to restrict IAM permissions.
• Monitor CloudTrail logs for unusual activities, such as unexpected IAM user creation.

JavaGhost’s evolution from simple website defacements to sophisticated phishing operations demonstrates how cybercriminals continuously adapt to exploit weaknesses in cloud security.

Companies can avoid these threats by:

• Reviewing their AWS configurations.
• Strengthening access controls.
• Incorporating continuous security monitoring to reduce threats.

By proactively securing cloud environments, businesses can prevent their AWS accounts from becoming launchpads for cyberattacks.