Who:
TGR-UNK-0011 (linked to JavaGhost), a cybercriminal group active since 2019, originally focused on website defacement but pivoted to phishing in 2022 for financial gain.
What:
Hackers exploit AWS misconfigurations, not vulnerabilities, to access exposed access keys.
They use Amazon Simple Email Service (SES) and WorkMail to send phishing emails from legitimate sources, bypassing email security measures.
Attackers create IAM users for persistence, generate temporary credentials, and use obfuscation tactics to evade detection.
Impact:
Organizations face unauthorized AWS access, phishing attacks, and potential financial and reputational damage.
Threat actors maintain long-term access through unused IAM users and trust policies.
The group leaves a “calling card” by creating empty security groups named Java_Ghost, signaling their presence while remaining hidden.
🔍 Takeaway: Secure AWS environments by protecting access keys, auditing IAM configurations, and monitoring CloudTrail logs for suspicious activity.
Read the full article HERE