JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks

Unit 42 researchers have observed a threat actor group known as JavaGhost exploiting misconfigurations in Amazon Web Services (AWS) environments to conduct sophisticated phishing campaigns.

Active for over five years, JavaGhost has pivoted from website defacement to leveraging compromised cloud infrastructure for financial gain.

The group’s attacks stem from exposed long-term AWS access keys, which they use to gain initial access to victim environments.

JavaGhost has demonstrated increasing sophistication, employing advanced evasion techniques typically associated with more notorious threat actors like Scattered Spider.

Phishing Infrastructure Setup

Upon gaining access, JavaGhost establishes phishing infrastructure using Amazon Simple Email Service (SES) and WorkMail.

The attackers create multiple email identities, configure DKIM settings, and modify Mail-from attributes.

They also set up WorkMail organizations and users, generating various SES and AWS Directory Service events in CloudTrail logs.

To send phishing emails, JavaGhost creates new SMTP credentials, resulting in the generation of new IAM users with specific permissions.

When preexisting SES infrastructure is available, the group leverages it, leaving minimal traces in CloudTrail logs unless dataplane logging is enabled.

Identity and Access Management Exploitation

JavaGhost creates various IAM users, some actively used in attacks and others seemingly for long-term persistence.

According to Unit 42 Report, these users are typically granted AdministratorAccess policy and console access.

In recent attacks, the group has evolved to using IAM roles with trust policies, allowing access from attacker-controlled AWS accounts.

The attackers also attempt to leave AWS Organizations and enable all AWS regions not enabled by default, potentially to evade security controls.

These actions generate detectable events in CloudTrail logs, providing opportunities for threat detection and response.

As JavaGhost continues to refine its tactics, organizations must remain vigilant.

Implementing least privilege access, rotating IAM credentials regularly, using short-term access tokens, enabling multi-factor authentication, and leveraging cloud security posture management tools are crucial mitigations against such threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.