Actors threats focus on Amazon’s web service (O) The environment for displacement of phishing companies to non -suspicious targets, according to the Block 42 networks Palo Alto Networks.
Cybersecurity Company Track Activities called TGR-UNK-0011 (Short for Group threats with unknown motivation), about which, in her words, they intersect with a group known as Javaghost. As you know, TGR-NUNK-0011 has been working since 2019.
“The Group Historically focused on the cancellation of sites,” Margaret Kelly’s security researcher – noted. “In 2022, they sent to send phishing sheets for financial benefits.”
It should be noted that these attacks do not use any vulnerability in AWS. Most likely, threatening subjects will take advantage of incorrect settings in the victims that expose their AWS Access keys to send phishing messages by abusing Amazon Simple Email Service (SES) and Workmail services.
Doing this, Modus Operandi offers the benefit of not accepting the need or pay for your own infrastructure for harmful activity.
Moreover, it allows the phishing reports to act as a threat to protected e -mail, since digital missions come from a famous subject from which the target organization had previously received letters.
“Javaghost is obtained by users who are exposed to the long-term access related to identity and access management (IAM) that allowed them to gain initial AWS access through the command line interface (CLI),” Kelly explained.
“Between 2022-24 Cloudtrail logs. This tactic has historically been operated by a scattered spider“
Once confirmed access to the AWS account, attackers are known to create Temporary powers and URL to login Allow access to the console. In this, the marked units 42, they allow them to bend their identity and get visibility into resources in AWS account.
Later, the group is observed using SES and Workmail to create a phishing infrastructure, creating new SES and Workmail users, and creating new SMTP credentials to send emails.
“Throughout the Javaghost attacks, they create different IAM users, some they use during their attacks and others they never use,” Kelly said. “Unused Iam users seem to serve as a mechanism for long -term stability.”
Another noticeable aspect of the actor of the Operandi actor concerns the creation of a new role Iam of Trust policy attachedIn doing so, allowing them to access the AWS account from another AWS account under their control.
“The group continues to leave the same congratulatory card in the middle of its attack, creating new Amazon Elastic Cloud Compute (EC2) security groups (EC2), called Java_Ghost, description of the group” We are there but not visible, “the block 42 concluded.
“These security groups do not contain any security rules, and the group usually does not try to attach these security groups to any resources. Creating security groups appears in CloudTrail magazines in Createsecurity events.”
