Misconfigured AWS environments exploited to facilitate phishing

Threat operation TGR-UNK-0011, which overlaps with the JavaGhost group, has been leveraging misconfigured Amazon Web Services environments leaking AWS access keys, as well as Amazon Simple Email Service and WorkMail, to conduct covert phishing campaigns without hosting or paying for proprietary infrastructure, The Hacker News reports.

After utilizing long-term access keys to achieve initial access to targeted AWS environments, attackers proceed with temporary credential and login URL generation for greater account visibility before exploiting SES and WorkMail to facilitate phishing email distribution, according to an analysis from Palo Alto Networks Unit 42 threat researchers. Targeted AWS accounts are also being continuously accessed from another hijacked account though a new IAM role with an attached trust policy. "These security groups do not contain any security rules and the group typically makes no attempt to attach these security groups to any resources. The creation of the security groups appear in the CloudTrail logs in the CreateSecurityGroup events," said the report.