Palo Alto Networks threat intelligence team, Unit 42, has discovered JavaGhost, a sophisticated threat actor organization that has progressed beyond vandalizing websites to launching ongoing phishing attacks utilizing hacked AWS infrastructures.
Active since at least 2022, the gang has used victims' Simple Email Service (SES) and WorkMail services to send phishing messages by taking advantage of too lenient Amazon Identity and Access Management (IAM) policies. JavaGhost's strategy works especially well since they exploit the AWS infrastructure of genuine businesses, which enables their phishing emails to go past security measures because they come from previously reliable sources.
Through 2024, the organization has been steadily improving their strategies, including sophisticated evasion techniques to obscure their existence in CloudTrail logs, which are similar to strategies used by the Scattered Spider threat group in the past. Usually, the threat actors first get access by acquiring the long-term access keys linked to IAM users that have been made public.
To avoid detection, JavaGhost purposefully avoids utilizing the GetCallerIdentity API call upon entrance, unlike previous attackers. To verify their access while keeping a lower profile, they instead use alternate initial API requests like GetServiceQuota, GetSendQuota, and GetAccount.
Researchers at Palo Alto Networks discovered that the JavaGhost uses a multi-step procedure utilizing the GetFederationToken and GetSigninToken APIs to produce temporary credentials and login URLs in order to better conceal their activity.
