JavaGhost Exploits Amazon IAM Permissions for Phishing Attacks

The cyber threat group known as JavaGhost has been observed exploiting misconfigured Amazon Web Services (AWS) Identity and Access Management (IAM) permissions to execute sophisticated phishing campaigns.

Active since 2019, this group initially focused on website defacement but shifted to cloud-based phishing attacks in 2022.

Researchers at Unit 42 have tracked the group’s evolution, noting its increasing use of advanced evasion techniques and persistent tactics to compromise cloud environments.

AWS Misconfigurations Enable Phishing Infrastructure

JavaGhost’s attacks exploit leaked long-term AWS access keys, which allow unauthorized access to victim organizations’ cloud environments.

These credentials enable the group to misuse AWS services like Simple Email Service (SES) and WorkMail for phishing campaigns.

By leveraging existing SES infrastructure, the attackers bypass email protection systems, as their phishing emails appear to originate from legitimate sources within the victim’s organization.

This strategy not only avoids detection but also eliminates costs for the attackers, as they utilize the victim’s cloud resources.

The group employs various API calls, such as GetServiceQuota and GetSendQuota, to assess their access capabilities without triggering common security alerts.

Once inside, they generate temporary credentials using the GetFederationToken API, enabling console access while masking their activities.

These methods demonstrate a level of sophistication previously associated with advanced threat actors like Scattered Spider.

Phishing Campaign Setup and Execution

To establish their phishing infrastructure, JavaGhost configures SES email identities and modifies DomainKeys Identified Mail (DKIM) settings to authenticate outgoing emails.

They also manipulate SES Virtual Delivery Manager (VDM) attributes and create SMTP credentials for sending bulk phishing emails.

In some cases, they set up Amazon WorkMail organizations and users to further legitimize their operations.

The group’s activities leave detectable traces in AWS CloudTrail logs, including events like CreateEmailIdentity, PutEmailIdentityDkimAttributes, and CreateUser.

However, many victim organizations lack adequate logging configurations for SES data events, limiting their ability to detect these attacks proactively.

JavaGhost employs unique persistence mechanisms within compromised environments.

For instance, they create IAM users with administrative privileges or configure IAM roles with trust policies that allow access from attacker-controlled AWS accounts.

These roles serve as backdoors, enabling long-term access even if initial credentials are revoked.

In addition, the group creates symbolic artifacts such as Amazon EC2 security groups named “Java_Ghost” with descriptions like “We Are There But Not Visible,” matching their slogan on historical websites.

According to the Report, While these security groups are not attached to any resources, they serve as a calling card for the attackers.

Organizations can mitigate these threats by enforcing strict IAM policies, rotating credentials regularly, and enabling multi-factor authentication (MFA).

Advanced monitoring tools like Palo Alto Networks’ Cortex XSIAM can detect suspicious activities such as unauthorized IAM user creation or SES abuse.

Enhanced logging configurations for SES data events are also crucial for identifying malicious email activity.

JavaGhost’s evolving tactics highlight the critical need for robust cloud security measures to prevent unauthorized access and exploitation of cloud services.

Also Read:

Alleged AWS S3 Breach Reveals Security Flaws at U.S. Software Company

See more