A sophisticated threat actor known as JavaGhost has been exploiting misconfigured AWS environments to gain unauthorized access and deploy phishing attacks. This group has been active for over five years, initially focusing on website defacement before shifting to phishing operations in 2022 for financial gain.

JavaGhost's Tactics in AWS Environments

JavaGhost targets AWS environments by exploiting exposed long-term access keys associated with AWS Identity and Access Management (IAM) users. These keys are often found in publicly accessible .env files due to server misconfigurations. Once access is gained, the threat actor uses the AWS command-line interface to make API calls.

Evading Detection

To avoid detection, JavaGhost employs alternative API calls instead of the commonly monitored "GetCallerIdentity" call. By using calls like "GetServiceQuota," "GetSendQuota," and "GetAccount," they bypass alerts that are typically triggered by the more common API calls.

  • Initial Access: JavaGhost locates exposed access keys in unsecured web applications.
  • Stealth Techniques: The group avoids detection by using less common API calls.

Phishing Operations Using Compromised AWS Resources

Once JavaGhost has infiltrated an AWS environment, they exploit overly permissive IAM permissions to utilize Amazon Simple Email Service (SES) and WorkMail for sending phishing emails. By leveraging the victim's existing SES infrastructure, their phishing emails evade detection as they appear to originate from a trusted source.

Challenges in Detection

The lack of SES data events in CloudTrail logs limits the visibility of these activities. Without dataplane logging enabled, organizations struggle to detect these intrusions. However, enabling such logging can reveal indicators of compromise (IoCs) and allow for the creation of alerts to identify suspicious activities.

  • Phishing Infrastructure: JavaGhost uses compromised SES to send phishing emails.
  • Visibility Issues: Limited logging makes it difficult to track their activities.
The link has been copied!