Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail: What You Need to Know
By: Ravie Lakshmanan
Published: March 3, 2025
As we navigate the ever-evolving threat landscape, it’s imperative to stay informed about the latest tactics, techniques, and procedures (TTPs) used by threat actors. In this article, we’ll explore a concerning trend: hackers exploiting AWS misconfigurations to launch phishing attacks via SES (Simple Email Service) and WorkMail.
The Rise of TGR-UNK-0011: A Threat Group with Unknown Motivation
Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns, revealed findings from Palo Alto Networks Unit 42. This activity cluster is tracked under the name TGR-UNK-0011, a threat group with unknown motivation that has been active since 2019.
From Defacing to Phishing: The Evolution of JavaGhost
Historically, JavaGhost focused on defacing websites. However, in 2022, they shifted their attention to sending out phishing emails for financial gain. This group, also known as TGR-UNK-0011, has evolved its tactics, adopting advanced defense evasion techniques to obfuscate identities in CloudTrail logs.
How Hackers Exploit AWS Misconfigurations
These attacks do not exploit any vulnerability in AWS. Instead, hackers target misconfigurations in victims’ environments, exposing AWS access keys. By exploiting these vulnerabilities, attackers can launch phishing attacks via SES and WorkMail, sidestepping email protections by sending messages from a known entity the target organization has previously received emails from.
Abusing Amazon SES and WorkMail
Once hackers gain access to an organization’s AWS account, they generate temporary credentials and a login URL to enable console access, allowing them to obfuscate their identity and gain visibility into the resources within the AWS account. Subsequently, they create new SES and WorkMail users, setting up new SMTP credentials to send email messages. These attacks often leave no trail in the CloudTrail logs.
Long-Term Persistence: The IAM Role and EC2 Security Groups
Operators should be aware of the group’s penchant for creating unused IAM users, which serve as long-term persistence mechanisms. These users are created alongside new IAM roles with attached trust policies, permitting access to the organization’s AWS account from another AWS account under their control. Notably, the group leaves a calling card in the midst of their attacks, creating new Amazon Elastic Cloud Compute (EC2) security groups named "Java_Ghost," designed to appear as a red herring.
Protect Your AWS Environment: Best Practices
To prevent these attacks, implement the following best practices:
- Monitor CloudTrail logs: Regularly review CloudTrail logs to detect and respond to suspicious activity.
- Use IAM roles: Limit IAM role access to trusted services and enforce MFA (Multi-Factor Authentication).
- Secure AWS access keys: Limit the use of AWS access keys and use alternative authentication methods, such as IAM roles.
- Configure SES and WorkMail: Set up SES and WorkMail configurations to restrict access and block suspicious mail traffic.
- Keep Software Up-to-Date: Regularly update software and plugins to prevent exploitation of known vulnerabilities.
Conclusion
In conclusion, hackers are exploiting AWS misconfigurations to launch phishing attacks via SES and WorkMail. By understanding the tactics, techniques, and procedures employed by TGR-UNK-0011 (JavaGhost), operators can take proactive measures to prevent these attacks. As the threat landscape evolves, it’s essential to stay informed and adapt to counter these advanced threats.
Stay Safe, Stay Informed
Follow us on Twitter and LinkedIn to read more exclusive content we post.
Live News Daily is a trusted name in the digital news space, delivering accurate, timely, and in-depth reporting on a wide range of topics.