Palo Alto Networks Unit 42 has identified a threat group, TGR-UNK-0011, that has shifted its focus from website defacement to orchestrating phishing attacks via Amazon Web Services (AWS). The group, active since 2019, utilizes vulnerabilities stemming from misconfigurations in AWS environments, specifically exposing access keys. This allows them to send phishing emails using legitimate AWS services, enabling them to bypass email protections. Their activities have become more sophisticated, employing tactics to obfuscate their actions within the cloud environment, mimicking trusted communications to better deceive their victims.
Threat actors are targeting AWS environments to push phishing campaigns, exploiting misconfigurations in victim environments rather than vulnerabilities.
The group TGR-UNK-0011 has evolved from website defacing to phishing for financial gain since 2022, utilizing AWS services without hosting their own infrastructure.
JavaGhost is leveraging exposed AWS access keys to gain entry, then using advanced techniques to hide their actions from security logs.
By using legitimate AWS services, attackers can avoid detection and sidestep email security measures, sending phishing messages that seem credible to targets.
Collection
[
|
...
]