Amazon Web Services Targeted in Phishing Campaigns by Threat Group TGR-UNK-0011
Recent investigations by Palo Alto Networks’ Unit 42 have unveiled alarming activities targeting Amazon Web Services (AWS). The threat group known as TGR-UNK-0011, which has been active since 2019, is leveraging misconfigurations within AWS environments to execute sophisticated phishing campaigns. This group overlaps with previously identified actors known as JavaGhost, which historically focused on website defacements before pivoting to financial-based phishing endeavors in 2022.
The cybersecurity firm has noted that these assaults do not exploit inherent vulnerabilities within AWS itself. Instead, the attackers capitalize on misconfigured environments that inadvertently expose AWS access keys. By utilizing misconfigurations, threat actors are able to send phishing messages through Amazon’s Simple Email Service (SES) and WorkMail, allowing them to bypass conventional email protections due to the legitimate origins of the emails.
According to security researcher Margaret Kelley, once access to an AWS account is achieved, attackers generate temporary credentials to facilitate console access. This process not only conceals their identities but also offers insights into the resources available within the AWS environment. The group has also been observed creating various IAM (Identity and Access Management) users, some of which remain dormant as long-term persistence mechanisms.
The use of advanced evasion techniques has reportedly evolved over time, allowing them to obscure their identities in CloudTrail logs. This approach is reminiscent of tactics previously exploited by other threat actors such as Scattered Spider. In the wake of establishing access, the group has systematically set up new SES and WorkMail users alongside generating SMTP credentials for sending phishing emails.
Moreover, TGR-UNK-0011’s operational methodology includes creating IAM roles equipped with trust policies that enable account access from other controlled AWS accounts. This act illustrates a malicious level of sophistication, deeply embedding their presence within an organization’s AWS infrastructure.
In a striking signature move, the group frequently creates Amazon Elastic Cloud Compute (EC2) security groups named “Java_Ghost,” with descriptions indicating they are “There But Not Visible.” These groups, often devoid of security rules and not linked to any resources, serve primarily to leave a trail in the CloudTrail logs.
The implications of these findings are critical for businesses leveraging AWS services. Understanding the risks associated with misconfigurations and implementing robust security practices becomes imperative in safeguarding against such threat actors. With the tactics outlined in the MITRE ATT&CK framework—ranging from initial access and persistence to privilege escalation—it’s essential for business owners to remain vigilant and proactive in their cybersecurity strategies.
As the landscape of cyber threats continues to evolve, staying informed on such incidents is essential. Cybersecurity measures must adapt accordingly to mitigate risks and build resilience against evolving adversarial tactics.
