Cybercriminals are actively exploiting misconfigured Amazon Web Services (AWS) environments to orchestrate large-scale phishing attacks, leveraging Amazon Simple Email Service (SES) and WorkMail. According to recent findings from Palo Alto Networks Unit 42, a threat group tracked as TGR-UNK-0011—with potential ties to the JavaGhost hacking collective—has been conducting these attacks since at least 2019.
Initially known for website defacement campaigns, JavaGhost pivoted in 2022 to financially motivated phishing attacks. "The group historically focused on defacing websites," said cybersecurity researcher Margaret Kelley. "However, in 2022, they shifted towards phishing emails for financial gain."
AWS Misconfigurations, Not Vulnerabilities, Are Being Exploited
It is important to note that these attacks do not exploit vulnerabilities in AWS itself. Instead, hackers capitalize on misconfigured AWS environments where access keys are inadvertently exposed. These stolen credentials enable attackers to send phishing emails via SES and WorkMail, effectively bypassing traditional email security measures. Because these emails originate from a legitimate AWS-based sender, they are more likely to evade detection and land in recipients' inboxes.
"JavaGhost obtained exposed long-term access keys associated with Identity and Access Management (IAM) users," Kelley explained. "This granted them initial access to AWS environments via the command-line interface (CLI)."
Evolving Tactics: Advanced Evasion Techniques
Between 2022 and 2024, JavaGhost refined its tactics, incorporating advanced defense evasion techniques. One such method involves obfuscating identity logs within AWS CloudTrail, a technique
previously exploited by the notorious hacking group Scattered Spider.
Once inside an organization's AWS account, the attackers generate temporary credentials and login URLs, granting them console access. This provides them with insight into AWS resources while making attribution more difficult.
How Hackers Weaponize AWS SES and WorkMail
JavaGhost’s attack strategy includes:
Creating new SES and WorkMail users
Generating SMTP credentials to send phishing emails
Setting up IAM users for long-term persistence
"Throughout the attack timeline, JavaGhost creates multiple IAM users. Some are actively used, while others appear to be reserved for future access," Kelley added.
One of their more sophisticated techniques involves the creation of new IAM roles with trust policies, allowing them to access compromised AWS accounts from other AWS accounts under their control.
The JavaGhost Calling Card: "We Are There But Not Visible"
As part of their attack signature, JavaGhost leaves behind a unique calling card within AWS environments.
"The group creates new Amazon Elastic Compute Cloud (EC2) security groups named Java_Ghost, with the description 'We Are There But Not Visible,'" Unit 42 reported. These security groups typically contain no security rules and are not attached to any resources, but their creation is logged within AWS CloudTrail under CreateSecurityGroup events.
Mitigation Strategies for AWS Users
Organizations leveraging AWS should take the following steps to mitigate these threats:
Regularly audit IAM access keys and avoid using long-term credentials.
Enable multi-factor authentication (MFA) for all IAM users.
Restrict IAM permissions based on the principle of least privilege.
Monitor AWS CloudTrail logs for unauthorized access patterns.
Utilize AWS security services such as AWS GuardDuty and AWS Config to detect and remediate misconfigurations.
By proactively securing their AWS environments, organizations can prevent threat actors like JavaGhost from exploiting misconfigurations to carry out stealthy phishing attacks.