AWS Phishing Exploits
Threat actors are exploiting AWS misconfigurations to launch phishing campaigns using Amazon Simple Email Service (SES) and WorkMail. Identified as TGR-UNK-0011 (JavaGhost), this group initially focused on website defacement but pivoted to phishing for financial gain in 2022. Rather than exploiting AWS vulnerabilities, the attackers leverage exposed IAM access keys to infiltrate cloud environments, send phishing emails from trusted sources, and bypass security measures.
Once inside, JavaGhost generates temporary credentials and login URLs to mask its identity and navigate AWS resources. The group sets up new SES and WorkMail accounts with SMTP credentials to distribute phishing messages. Notably, they create multiple IAM users, some for active use and others seemingly for long-term persistence. To further evade detection, JavaGhost establishes IAM roles with trust policies, allowing access from AWS accounts under their control.
A unique hallmark of their operation is the creation of EC2 security groups named “Java_Ghost”, described as “We Are There But Not Visible.” These groups lack security rules and aren’t attached to resources but leave traces in CloudTrail logs. This attack method underscores the need for strong IAM security, regular audits, and the protection of access keys to prevent AWS environment exploitation.
Lakshmanan, Ravie. 2025. “Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail.” The Hacker News. Mar. 3.
READ: https://bit.ly/3XnFq07
