Amazon Web Services Under Attack: Phishing Campaigns via Misconfigured Environments

By /

Listen to this Post

Cybercriminals have discovered a new avenue to launch phishing campaigns, exploiting the Amazon Web Services (AWS) environment. Palo Alto Networks Unit 42 has uncovered a disturbing trend where threat actors are targeting AWS systems to send phishing emails, leveraging misconfigured environments and AWS services like Simple Email Service (SES) and WorkMail. These attacks do not hinge on exploiting AWS vulnerabilities but rather capitalize on unprotected access keys. This shift in tactics has raised concerns, especially given that these campaigns could bypass common email security measures.

the Findings

Palo Alto Networks Unit 42 has been tracking a cybercriminal group named TGR-UNK-0011 (associated with JavaGhost) that has been active since 2019. Initially, this group was focused on defacing websites, but in 2022, it pivoted to launching phishing attacks aimed at financial gain. Instead of exploiting vulnerabilities within AWS, the attackers are taking advantage of misconfigurations in AWS environments that expose access keys. By using AWS services like SES and WorkMail, the attackers can send phishing messages that appear to come from legitimate sources, thus evading email security systems.

The group, also known as JavaGhost, accesses AWS environments through compromised IAM (Identity and Access Management) users, exploiting exposed long-term access keys. Over time, their tactics have become more sophisticated, with advanced methods to hide their identities in AWS CloudTrail logs. This allows them to bypass detection and maintain access to the targeted systems. Furthermore, the attackers create new IAM users, generate temporary credentials, and use new roles to establish persistence and continue their activities.

What Undercode Says:

The attack by TGR-UNK-0011, also identified as JavaGhost, underscores a significant shift in how cybercriminals are leveraging cloud infrastructures for their campaigns. Traditionally, AWS-related threats have been associated with exploiting cloud vulnerabilities or misconfigured security settings. However, the TGR-UNK-0011 group’s approach takes advantage of poor key management and misconfigurations in IAM policies.

This tactic is particularly alarming because it circumvents traditional security mechanisms. By using AWS’s own services like SES and WorkMail to distribute phishing emails, the attackers can appear as trusted senders, bypassing spam filters and other security measures that would typically flag suspicious messages. The subtlety of this method—hiding behind services that legitimate users would recognize—makes detection more challenging.

The fact that these attacks are rooted in human error, rather than flaws in AWS’s infrastructure, indicates a broader issue of weak cloud security practices across organizations. Misconfigurations that expose access keys, whether due to poor password management or lack of attention to security best practices, are fertile ground for attackers to gain unauthorized access.

As the attackers evolve, they are also improving their techniques to evade detection. The use of IAM users that aren’t actively employed in the attack but instead serve as long-term persistence mechanisms is particularly troubling. These users don’t generate alarms but allow the attackers to maintain access indefinitely, even if the primary method of attack is discovered. Moreover, by creating roles with trust policies, the attackers can pivot between different AWS accounts, making it harder to track the origin of the intrusion.

JavaGhost’s ability to make modifications in AWS services like SES, WorkMail, and EC2, while avoiding detection, signals an alarming new phase in the sophistication of cloud-based phishing campaigns. They are not just taking advantage of simple misconfigurations—they are leveraging AWS’s own tools to further obfuscate their actions. As the group continues to evolve, the risks of these attacks become more pronounced, and the potential for widespread damage increases.

Fact Checker Results:

  1. The attacks are conducted through AWS services such as SES and WorkMail, not through any AWS vulnerabilities.
  2. The group has been active since 2019 and has evolved its tactics from website defacement to phishing campaigns.
  3. Misconfigured IAM roles and exposed access keys are the main vectors for the attackers’ entry into the AWS environment.

References:

Reported By: https://thehackernews.com/2025/03/hackers-exploit-aws-misconfigurations.html
Extra Source Hub:
https://www.facebook.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: