Fast Feed

JavaGhost’s Persistent Phishing Attacks From the Cloud

1 min read

Summary

  • PaloAlto networks have uncovered a new threat actor they have called JavaGhost who target AWS users via misconfiguration and insecure exposures of access keys.
  • The group has performed multiple attacks between 2022 - 2024 and evolved their tactics to more advanced defense evasion techniques that attempt to obfuscate identities in the CloudTrail logs.
  • They obtain exposed long-term access keys associated with identity and access management (IAM) users that allow them to gain initial access to an AWS environment.
  • Upon entry to an organization’s AWS environment with the compromised access key, the threat actors do not perform the application programming interface (API) call GetCallerIdentity.
  • Instead, the group performs different first API calls such as GetServiceQuota, GetSendQuota, and GetAccount for their initial interaction with a compromised AWS account.
  • The attack leveraged overly permissive IAM permissions allowing the victim’s Amazon SES and WorkMail services to send out phishing messages.
  • The threat actor creates an AWS WorkMail [Organization](https://docs.aws.amazon.com/workmail/latest/adminguide/organizations_overview.

By Margaret Kelley

Original Article