Misconfigured AWS Environments Exploited To Facilitate Phishing

Threat operation TGR-UNK-0011, which overlaps with the JavaGhost group, has been leveraging misconfigured Amazon Web Services (AWS) environments leaking AWS access keys, as well as Amazon Simple Email Service and WorkMail, to conduct covert phishing campaigns without hosting or paying for proprietary infrastructure, The Hacker News reports.

After using long-term access keys to achieve initial access to targeted AWS environments, attackers proceed with temporary credential and login URL generation for greater account visibility before exploiting SES and WorkMail to facilitate phishing email distribution, according to Palo Alto Networks Unit 42. Targeted AWS accounts are also being continuously accessed from another hijacked account through a new IAM role with an attached trust policy.

"These security groups do not contain any security rules and the group typically makes no attempt to attach these security groups to any resources," said the Unit42 researchers. "The creation of the security groups appear in the CloudTrail logs in the CreateSecurityGroup events."