Hackers are exploiting Amazon Web Services (AWS) misconfigurations to launch phishing campaigns using Amazon Simple Email Service (SES) and WorkMail, according to Palo Alto Networks’ Unit 42. This threat group, tracked under the name TGR-UNK-0011, has been active since 2019 and previously focused on website defacements before pivoting to phishing in 2022 for financial gain. Rather than exploiting vulnerabilities in AWS, the attackers target exposed AWS access keys that allow them to send phishing messages. These keys are obtained through misconfigured AWS environments, which provide the attackers with an advantage by bypassing email security protections since the phishing emails originate from trusted services.
The attackers gain initial access through exposed long-term AWS access keys associated with identity and access management (IAM) users.
Once inside the AWS environment, they use command-line interfaces (CLI) to generate temporary credentials and login URLs, granting them access to the console and the ability to manipulate resources. The hackers take steps to hide their identity and obfuscate their activities in CloudTrail logs, making it harder to trace their actions. Their efforts to remain undetected are in line with tactics observed in other advanced threat actors, such as the group Scattered Spider.
Once the attackers have control over the AWS environment, they create new IAM users and generate SMTP credentials to facilitate their phishing campaigns via SES and WorkMail. These phishing emails, which appear to come from a legitimate source the target organization has communicated with before, are harder to detect by traditional email filtering systems.
Additionally, the attackers leave unused IAM users behind as long-term persistence mechanisms, allowing them to maintain access to the compromised AWS accounts for future use.
One of the more notable tactics of TGR-UNK-0011 is the creation of new IAM roles with trust policies that let the attackers access the compromised AWS account from other accounts under their control. In the process, the group also creates security groups labeled “Java_Ghost” with no security rules attached, which are often left unused. These groups serve as another indicator of the attackers’ presence and appear in CloudTrail logs, though they do not affect the resources in the AWS environment. This persistence method further highlights the sophistication of the group’s operations and their ability to hide their activities within the compromised systems.
